Wilhelm Meier <[EMAIL PROTECTED]> writes: > Am Montag 27 Oktober 2008 schrieb Pierangelo Masarati: >> Wilhelm Meier wrote: >> > I don't see how to make this work with the rwm-overlay or some >> > sort of acls. >> > But I'm sure, I missed something ... >> >> You probably didn't read slapd.access(5) where it discusses the >> "filter" form of the <what> clause. > > Thank you for this advice, but it doesn't fully solve the problem: > > access to attrs=userPassword,shadowLastChange > dn.regex="uid=([^,]+),ou=Benutzer,dc=kmux,dc=de" > filter="gidNumber=998" > by dn="cn=admin,dc=kmux,dc=de" write > by anonymous auth > by self write > by * none > > This limits the authentication to users whose posix primary (!) group > hat the gid-number 998 (the dn.regex in the example above isn't > needed). > > But that's not the whole story. We want to grant access also to those > users with one of their secondary (!) posix groups is some special > group, e.g. cn=archiv,ou=gruppen,dc=kmux.dc=de > > So it must be possible to search for an object of > objectclass=posixGroup with the attribute memberUid=<uid>, where > <uid> is the value of the uid-attribute of the user, who tries to > bind to the slapd. If this search returns one (or more) results, the > user should be authenticated.
This approach can be solved by sets. http://www.openldap.org/faq/data/cache/1133.htm An search the mail archive, there can be found numerous examples. -Dieter -- Dieter Klünter | Systemberatung sip: +49.180.1555.7770535 http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
