[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: help with groups?

To: <openldap-software@OpenLDAP.org>
Subject: RE: help with groups?
From: "Ron Wahler" <ron@rovingplanet.com>
Date: Wed, 7 May 2003 11:11:08 -0600
Content-class: urn:content-classes:message
Thread-index: AcMOkjL8wvyW+hMqSeaohCkW91cH1AGHuJawAAKYR3A=
Thread-topic: help with groups?

I have seen  the memberOf attribute in Active Directory but
I don't see an attribute like it in OpenLDAP.

Anyone know of anything that would work?

Ron.


-----Original Message-----
From: Ron Wahler 
Sent: Wednesday, May 07, 2003 9:56 AM
To: Tony Earnshaw; pll+ldap@lanminds.com
Cc: openldap-software@OpenLDAP.org
Subject: RE: help with groups?


Is there an attribute that will point a user to the group they are part
of ?

Ron.


-----Original Message-----
From: Tony Earnshaw [mailto:tonni@billy.demon.nl] 
Sent: Tuesday, April 29, 2003 2:08 PM
To: pll+ldap@lanminds.com
Cc: openldap-software@OpenLDAP.org
Subject: Re: help with groups?

På ty , 29/04/2003 klokka 19:54, skreiv pll+ldap@lanminds.com:

> I'd like to use some groups to manage my LDAP server.  Specifically, 
> I'd like to create a group of people who can admin the LDAP server.
> 
> However, I'm a little confused on how to create a group.  What would 
> the LDIF tree look like?
[...]
> I'd like to craete a group called 'ldap' and assign certain people to
> it as members (ideally for use as an authentication mechanism).  But
> I'm a little fuzzy on how to create the group and assign members to
> it.  Help and/or pointers to docs would be greatly appreciated!

There are different ways of making different kinds of groups for
different purposes. Here's one (of about 3) that I use:

dn: cn=peoplemanagers,ou=people,ou=groups,dc=example,dc=com
objectClass: top
objectClass: groupOfNames
cn: peoplemanagers
ou: ou=peoplemanagers,ou=groups,dc=example,dc=com
member: cn=bill,ou=people,ou=groups,dc=example,dc=com
member: cn=pete,ou=people,ou=groups,dc=example,dc=com
member: cn=mary,ou=people,ou=groups,dc=example,dc=com

You could have groupOfUniqueNames instead of groupOfNames, but then you
have to have uniqueMember instead of member.

So, your: cn=John J Jones,ou=people,dc=foo,dc=bar would fit into that
pattern.

The fun comes when giving the group rights in your ACLs. Say you want to
let them and the respective "owner" change passwords:

access to dn="dc=example,dc=com"
  attr=userPassword
  by group="cn=peoplemanagers,ou=people,ou=groups,dc=example,dc=com"
write
  by self write
  by anonymous auth

(each of the above lines should be written /without/ line breaks, on a
single line.)

Which is relatively easy. But it gets worse in the case of whole DNs and
subtrees under them to which the group has to have rights, and where you
have to start using regexes to make it work. However, try the above
first :)

Best,

Tony

-- 
Tony Earnshaw

Do not come to visit me with both arms the same length.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl

Tony Earnshaw

Prev by Date: password hash
Next by Date: Re: SASL External : unknown authentication method
Index(es):
- Chronological
- Thread