On 04/16/2018 05:17 PM, Mariusz Gronczewski wrote:
> Hi,
>
> Each of our users have DN like uid=xani,ou=users,dc=root,dc=example,dc=com
>
> There is also group hierarchy with POSIX groups having users as memberUid
>
> I have aci (at the ou=groups):
>
> (targetattr = "*") (targetfilter = (|(memberUid=xani)(ou=groups))) (version 3.0;acl "test auth";allow (read,compare,search)(userdn = "ldap:///anyone");)
>
> that allows a certain user to see only POSIX groups where they belong by filtering them by (memberUid=xani).
>
> Is it possible to make a filter that would do same but dynamically take current binded user uid in the filter. Basically I'd like to filter by (memberUid=$binded_user_uid), is that possible ?
It should be possible, read about "defining access based on value
matching. Your aci should look something like
....... allow(....) userattr = memberuid#USERDN
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
No comments:
Post a Comment