[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Strange ACL request

To: Quanah Gibson-Mount <quanah@stanford.edu>
Subject: Re: Strange ACL request
From: Jerry Haltom <wasabi@larvalstage.net>
Date: 17 Apr 2003 00:03:07 -0500
Cc: openldap-software@OpenLDAP.org
In-reply-to: <164878032.1050526818@cadabra-dsl.stanford.edu>
Organization:
References: <1050536551.2887.12.camel@station-1> <12344850.1050513453@cadabra.stanford.edu> <1050540546.1891.17.camel@kyoto> <164878032.1050526818@cadabra-dsl.stanford.edu>

I'm not quite sure what you mean. This is the defination for my admins
group.

dn: cn=admins,ou=groups,dc=feedbackplusinc,dc=com
objectClass: top
objectClass: posixGroup
cn: admins
gidNumber: 2000
memberUid: jhaltom
memberUid: lburton

What I gathered from Howard Chu's reply, was that I should add

objectClass: groupOfNames
member: uid=jhaltom,ou=users,dc=feedbackplusinc,dc=com
member: uid=lburton,ou=users,dc=feedbackplusinc,dc=com

and then an ACL such as this would work

access to *
        by dn="cn=root,dc=feedbackplusinc,dc=com" write
        by group.base="cn=admins,ou=groups,dc=feedbackplusinc,dc=com"
write
        by * read

Correct?

On Wed, 2003-04-16 at 23:00, Quanah Gibson-Mount wrote:
> --On Wednesday, April 16, 2003 7:49 PM -0500 Jerry Haltom 
> <wasabi@larvalstage.net> wrote:
> 
> > I am running into one problem with this. I am getting an object class
> > violation trying to add the member attribute. Does the member attribute
> > require dn's of a specific objectClass? I am using person, posixAccount,
> > and a few others.
> >
> > On Wed, 2003-04-16 at 19:17, Quanah Gibson-Mount wrote:
> >> --On Wednesday, April 16, 2003 6:42 PM -0500 Jerry Haltom
> >> <wasabi@larvalstage.net> wrote:
> >>
> >> > Would it be possible to assign a ACL by member of group in ldap.
> >> >
> >> > This seems hard to explain
> >> >
> >> > gid=admins,ou=groups,dc=feedbackplusinc,com
> >> > memberUid: jhaltom
> >> > memberUid: lburton
> >> >
> >> > I would want both uid=jhaltom,ou=users,dc=feedbackplusinc,dc=com as
> >> > well as the same with lburton to have higher permissions. I don't want
> >> > to specify these users specifically in the slapd.conf.
> >> >
> >> > I was wondering if this kind of regular expression, substitution,
> >> > whatever, is possible in a OpenLDAP 2.1 ACL?
> >>
> >> Yes, although lburton would simply be in an ACL group with higher
> >> permissions, not in both locations.
> >>
> >> We use that right now @ Stanford for our ldapAdmins group.
> >>
> >> Something like:
> >>
> >> dn: cn=admins,ou=groups,dc=feedbackplusinc,dc=com
> >> objectClass: groupOfNames
> >> cn: ldapAdmin
> >> member: uid=jhaltom,ou=users,dc=feedbackplusinc,dc=com
> >> <other ldapadmin members>
> >>
> >> Then in your slapd.ACL file
> >>
> >> access to *
> >> 	by group.base="cn=admins,ou=groups,dc=feedbackplusinc,dc=com" read
> >> 	by * break
> 
> What is the definition of your ou=groups object class?
> 
> We use:
> 
> dn: cn=Applications,dc=stanford,dc=edu
> objectClass: top
> objectClass: organizationalRole
> cn: Applications
> 
> so our is
> 
> cn=ldapadmin,cn=applications,dc=stanford,dc=edu
> 
> --Quanah
> 
> 
> --
> Quanah Gibson-Mount
> Senior Systems Administrator
> ITSS/TSS/Computing Systems
> Stanford University
> GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

Follow-Ups:
- Re: Strange ACL request
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

References:
- Strange ACL request
  - From: Jerry Haltom <wasabi@larvalstage.net>
- Re: Strange ACL request
  - From: Quanah Gibson-Mount <quanah@stanford.edu>
- Re: Strange ACL request
  - From: Jerry Haltom <wasabi@larvalstage.net>
- Re: Strange ACL request
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

Prev by Date: Re: attributes and SUP
Next by Date: Re: Strange ACL request
Index(es):
- Chronological
- Thread