[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: group access "write" in OpenLDAP 2.1.4

To: Howard Chu <hyc@symas.com>
Subject: RE: group access "write" in OpenLDAP 2.1.4
From: Tony Earnshaw <tonni@billy.demon.nl>
Date: 13 Sep 2002 15:07:59 +0200
Cc: openldap-software@OpenLDAP.org
In-reply-to: <NMEFLNHODBAOPDKNNJALMECIDNAA.hyc@symas.com>
References: <NMEFLNHODBAOPDKNNJALMECIDNAA.hyc@symas.com>

fre, 2002-09-13 kl. 13:42 skrev Howard Chu:

> > by group="cn=peoplemanagers,ou=groups,dc=billy,dc=demon,dc=nl"
> > dnattr=member write

> This doesn't look right to me, but I'm not sure I understand the example. It
> sounds to me like you have a group "cn=local group,dc=example,dc=com" and you
> have another group "cn=peoplemanagers,dc=example,dc=com" and you're saying
> that the members of "peoplemanagers" are allowed to modify attributes on the
> members of "local group."

> There is no facility that lets you specify members of a group as the target
> of an ACL. It might be nice to say "access to group=foo by group=bar write"
> but slapd doesn't support this.

No. Exactly.

Howard, I (being a "Bear of Little Brain" ^TM A. A. Milne) have this
golden rule with computers and computer software: "If it works, do/use
it. If it doesn't work, RTFM or go kick others 'til it does. In the end,
it's going to work anyway, so keep RTFMing or kicking."

So, it works.

My complete ACL, as I answered _Ace (far above this on the list), is:

access to dn="dc=billy,dc=demon,dc=nl"
        attrs=homePhone,mobile,carPhone,birthDate
        attrs=homePostalAddress,fileAs
        attr=labeledURI
        by anonymous auth # <- *no comment, please!*
        by self write
        by dn="cn=Admin,dc=billy,dc=demon,dc=nl" write
        by dn=".*,ou=people,ou=groups,dc=billy,dc=demon,dc=nl" read
        by group="cn=peoplemanagers,ou=groups,dc=billy,dc=demon,dc=nl"
dnattr=member write
        by * none

#

Most of the above attributes are from evolution.schema, grace à Adam
Williams, so don't go looking for them unless you use Ximians Evolution
and use the back door :-)

Thanks for pointing out that I should make myself clear. Tuesday last, I
was lambasted by a professional colleague, on the job by a client, for
making myself too clear.

Tsk tsk, you just can't win.

Best,

Tony

-- 

Tony Earnshaw

Tha can allway tell a Yorkshireman, but tha canna tell 'im much.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl
gpg public key:	http://www.billy.demon.nl/tonni.armor

Telefoon:	(+31) (0)172 530428
Mobiel:		(+31) (0)6 51153356

GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981
3BE7B981

Attachment: signature.asc
Description: Dette er en digitalt signert meldingsdel

References:
- RE: group access "write" in OpenLDAP 2.1.4
  - From: "Howard Chu" <hyc@symas.com>

Prev by Date: Re: group access "write" in OpenLDAP 2.1.4
Next by Date: Re: multiple records sharing data?
Index(es):
- Chronological
- Thread