On Mon, Jan 16, 2017 at 03:21:41PM +0000, Philip Colmer wrote:
> to dn.sub="ou=groups,dc=example,dc=com" by dnattr="owner" write by set="this/
> owner/member & user" write by users none by * none
> Is there a way of performing an LDAP search that does the equivalent of the
> ACL
> (or something like it) to tell me which groups can be written to for a given
> DN?
I don't think you will be able to do that in a single LDAP operation on a
standard server.
The most efficient way is probably:
Search for all groups that the user is a member of, returning just the
DN
Search for all groups where any of those DNs are found in the owner
attribute
Beware though, that if some users are members of very large numbers of groups
then the
search assertion could be very large...
If you have the memberof overlay then you may be able to simplify the process
by having it maintain an 'ownerOf' attribute in the group entries. Then you
could get
what you want in a single search:
Match: (&(objectclass=groupOfNames)(member=<user DN>))
Return: ownerOf attribute
This may return multiple entries. You just need to gather up all the ownerOf
values.
To be really cute you could add the dynlist overlay to do this for you...
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------
