[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Strange ACL request



--On Wednesday, April 16, 2003 7:49 PM -0500 Jerry Haltom <wasabi@larvalstage.net> wrote:

I am running into one problem with this. I am getting an object class
violation trying to add the member attribute. Does the member attribute
require dn's of a specific objectClass? I am using person, posixAccount,
and a few others.

On Wed, 2003-04-16 at 19:17, Quanah Gibson-Mount wrote: 
--On Wednesday, April 16, 2003 6:42 PM -0500 Jerry Haltom
<wasabi@larvalstage.net> wrote:

> Would it be possible to assign a ACL by member of group in ldap.
>
> This seems hard to explain
>
> gid=admins,ou=groups,dc=feedbackplusinc,com
> memberUid: jhaltom
> memberUid: lburton
>
> I would want both uid=jhaltom,ou=users,dc=feedbackplusinc,dc=com as
> well as the same with lburton to have higher permissions. I don't want
> to specify these users specifically in the slapd.conf.
>
> I was wondering if this kind of regular expression, substitution,
> whatever, is possible in a OpenLDAP 2.1 ACL?

Yes, although lburton would simply be in an ACL group with higher
permissions, not in both locations.

We use that right now @ Stanford for our ldapAdmins group.

Something like:

dn: cn=admins,ou=groups,dc=feedbackplusinc,dc=com
objectClass: groupOfNames
cn: ldapAdmin
member: uid=jhaltom,ou=users,dc=feedbackplusinc,dc=com
<other ldapadmin members>

Then in your slapd.ACL file

access to *
	by group.base="cn=admins,ou=groups,dc=feedbackplusinc,dc=com" read
	by * break


What is the definition of your ou=groups object class?

We use:

dn: cn=Applications,dc=stanford,dc=edu
objectClass: top
objectClass: organizationalRole
cn: Applications

so our is

cn=ldapadmin,cn=applications,dc=stanford,dc=edu

--Quanah


--
Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html