RSS feed

Re: Fine grained access control

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Fine grained access control

On 2012-09-06 00:04, Richard Pijnenburg wrote:
On 2012-09-05 23:23, Arthur de Jong wrote:
On Tue, 2012-09-04 at 00:40 +0200, Richard Pijnenburg wrote:
The cn=prod,ou=isp,ou=acl,dc=ispavailability,dc=com is the group then
i want to use. with ldapsearch -x -b
"cn=prod,ou=isp,ou=acl,dc=ispavailability,dc=com" i get the list like

dn: cn=prod,ou=isp,ou=acl,dc=ispavailability,dc=com
objectClass: groupOfURLs
cn: prod
member: uid=testuser1,ou=people,dc=ispavailability,dc=com
member: uid=testuser2,ou=people,dc=ispavailability,dc=com
member: uid=extuser1,ou=people,dc=ispavailability,dc=com
member: uid=extuser2,ou=people,dc=ispavailability,dc=com

I guess this should be something like:

pam_authz_search (&(objectClass=groupOfURLs)(cn=prod)(member=$dn))

With pam_authz_search you can't currently specify the search base and
the default search base is used. So you have to make your filter
specific enough to only match the object you want.

The member=$dn would ensure that only members for the logged-in user
should be matched.

You could combine this to allow users that have a host attribute access
regardless of the group they are in:



It's a bit long and I hope I got the parenthesis right.

Hi Arthur,

I'll give it a try and let you know.
Thank you very much for your time :-)


Hi Arthur,

Finally had time to test it out.
First did a ldapsearch based on a part of the search string:

ldapsearch -x '(&(objectClass=groupOfURLs)(cn=prod)(member=uid=richard,ou=people,dc=ispavailability,dc=com))'

And i get nothing back.

If i take out the member part i get this:

ldapsearch -x '(&(objectClass=groupOfURLs)(cn=prod))'

# extended LDIF
# LDAPv3
# base <dc=ispavailability,dc=com> (default) with scope subtree
# filter: (&(objectClass=groupOfURLs)(cn=prod))
# requesting: ALL

# prod, isp, acl,
dn: cn=prod,ou=isp,ou=acl,dc=ispavailability,dc=com
objectClass: groupOfURLs
cn: prod acl
cn: prod
memberURL: ldap:///cn=sysadmin,ou=isp,ou=groups,dc=ispavailability,dc=com?memb
member: uid=richard,ou=people,dc=ispavailability,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Any idea what im doing wrong?

To unsubscribe send an email to or see