On 29/11/2018 20:12, Ludwig Krispenz wrote:> On 11/29/2018 12:32 AM,
Alistair Cunningham wrote:
> Is there a neat way to replace the ACL below that needs to be
> once for each ou with one single ACL that works for every ou? Perhaps
> some way of saying that the "ou=2,dc=example,dc=com" in the target
> part must match the same string in the userdn part?
> aci: (target="ldap:///ou=2,dc=example,dc=com")(targetattr=*)(version
> 3.0;acl "aci2";allow (read,search)
you should look into Macro ACIs, cahp 18.16
3.0;acl "aci2";allow (read,search)
or maybe [$dn] in the userdn to be able to target subentries.
Now it is question if you should use this. If your tree is very dynamic
and you add or remove subtrees and don't want to change the acis each
time macro acis are the right approach, but if you have a few subtrees
which are stable, macroacis can be a bit of overhead in evaluating and
adding indiuvidual acis is only a bit tedious in the beginning
The tree design will be simple and stable, with one ou for each tenant
directly under the base. However, there may be a very large number of
them - potentially hundreds of thousands. Would you recommend Macro ACIs
in this case?
+1 888 468 3111
+44 20 799 39 799