How to make an ACI for users that are `roleOccupant` in an `organizationalRole`?

U. Windl

1/24/24, 10:22 AM

In OpenLDAP I had an access rule using users that are roleOccupants in a specific organizationalRole like this (the example is just a fragment):

olcAccess: to * by group/organizationalRole/roleOccupant.exact="cn=Manager,dc=roles,dc=example,dc=org" write

Unfortunately I'm not able to convert this to an ACI for 389-DS. What I tried without success was:

aci: (targetattr = "*")(version 3.0; acl "Manager test"; allow (all)(userdn="ldap:///cn=Manager,dc=roles,dc=example,dc=org??one?(roleOccupant=*)");)

Tracing the ACI evaluation I see that 389-DS is searching in dc=people,dc=example,dc=org for cn=Manager,dc=roles,dc=example,dc=org as a direct child (one).

But I must admit that I'm overwhelmed by the complexity of the ACIs as described in 1.10. Defining ACI bind rules. Originally I had thought, I could use roledn=, but with the existing structure no roles are listed by dsidm; it seems it only works for "Netscape Roles" (nsRoleDefinition, etc.).

So is it possible to use by existing role structure for access control in 389-DS?

0 + 0

migration

access-control-list

389-ds

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to make an ACI for users that are `roleOccupant` in an `organizationalRole`?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.