[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: acl only in slapd.conf

To: openldap-software@OpenLDAP.org
Subject: Re: acl only in slapd.conf
From: Anthony Brock <abrock@georgefox.edu>
Date: Sun, 27 Aug 2000 18:34:14 -0700
In-reply-to: <fc.1dd8e5021dd8e50202e5d81d3b9aca00.3cde83@mail.georgefox. edu>

I would like to know how you do the following with ACLs:

I have two groups:

dc: cn=group admins,dc=my,dc=domain
dn: cn=group,dc=my,dc=domain

I have defined the owner of cn=group,dc=my,dc=domain to cn=group admins,dc=my,dc=domain.

How do I use the value of the owner attribute to grant access to members of group cn=group admins,dc=my,dc=domain?

The dnattr on seems to work for access to the SAME entry. So I can't using the dnattr. The best I have been able to come up with was from a VERY old faq entry at the openldap home page (which could use some improvements on it's regex expressions):

access to dn="cn=([^,]+),dc=my,dc=domain" attrs=uniquemember by group/groupofuniquenames/uniquemember="cn=$1 admins,dc=my,dc=domain" write

This works, but only lets this admin group manage this SINGLE other group. I would really like to use the owner attribute, but am at a loss as to how to proceed. This is on a test OpenLDAP server 2.0cvs, which is my first priority to get working. Once it is working, I am interested in applying the same thing to older 1.2.11 servers (until 2.0 is considered 'released').

Could we use the experimental support for in-directory ACL in 2.0cvs to do this? If so, how do you use this? I have reviewed the admin guide for 2.0, and it doesn't mention anything about it.

Just looking for some cookbook approaches. Obviously, I am using the enhanced group methods. It would be nice to have something similar to:

dnattr=owner/group/groupofuniquenames/uniquemember

Thanks in advance for any advice,

Tony

At 01:17 PM 8/27/00 -0700, Kurt@OpenLDAP.org wrote:

At 01:42 PM 8/27/00 +0200, Lars Kneschke wrote:
>>Is it correct that i can define acl's only in the slapd.conf?

In 1.2, yes.
2.x (currently in gamma testing) has experimental support for
in-directory access control information.


******************************************************************************
* Anthony Brock                                         abrock@georgefox.edu *
* Director of Network Services                         George Fox University *
******************************************************************************

Follow-Ups:
- [Q] LDAP+SENDMAIL+CYRUS
  - From: "Eugene Vasilchenko" <eugenev@computerra.ru>

Prev by Date: Re: Mailing Lists
Next by Date: [Q] LDAP+SENDMAIL+CYRUS
Index(es):
- Chronological
- Thread