Hi,
I search a lot but can't find solution so I post here :
I have to allow a user to get informations from internal ldap for
enterprise external software (cloud backup for laptop). only some
accounts have to be retreive by this external user.
I create a group (posixgroup) and add members to this one (memberUid)
I create the posixAccount that will be used by external software to get
informations on the member of the new group.
(uid,userPassword,mail,givenName,sn)
so I want to make an acl that limit access for the create account to
read only informations of users from the created group.
I already test overlay memberOf but it's not working with memberUid (not
dn style)
info
openldap server 2.4.40+dfsg-1 on debian jessie
simple ldap
ou=Users,dc=exemple,dc=com <-- all my users
uid=readers,ou=Users,dc=exemple,dc=com <-- the user i want to use to
see only cn=externalgroupaccess
ou=Groups,dc=exemple,dc=com <-- posixGroup with memberUid
cn=arcaboxUser,ou=Groups,dc=exemple,dc=com <-- the group that
users have to be visible.
acl :
access to dn.subtree="dc=Comptes,dc=com"
attrs=entry,uid,userPassword,mail,givenName,sn filter=()
by dn="uid=readers,ou=Users,dc=exemple,dc=com" read
by * break
access to dn.subtree="dc=Comptes,dc=com"
by dn="readers,ou=Users,dc=exemple,dc=com" search
by * break
My problem is on the filter (I think) if I use this :
filter=(uid=accountuid)
the user "readers" can see the information from accountuid and not from
others.
but cn=arcaboxUser,ou=Groups,dc=exemple,dc=com wil have more than 200
accounts.
Question : Someone have an idea to build a filter that containt all
cn=arcaboxUser,ou=Groups,dc=exemple,dc=com memberUid value ?
I see "set" but if I understand this :
http://www.openldap.org/faq/data/cache/1133.html , set is only use in by
statement of acl not in filter.
Thank you
Nicolas
(sorry for bad english)
I want to make an acl that limit access for a account to read only
informations of users from one group
