[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: apping ACLs to groupmembers

* Dieter Kluenter (dieter@dkluenter.de) [040117 17:44]:
> Andreas Schuldei <andreas@schuldei.org> writes:
> > i have (posixAccount)-users and (groupOfNames AND
> > posixGroup)-groups in my ldap directrory. Now i want to enable
> > users in one group (junior admins) to edit the userPassword files
> > for everyone in an other group (students) but not other groups
> > (like teachera and admins).
> >
> > i have read up on ACLs and look for a way to write that ACL
> > entry. the DNs of students, teachers and admins look alike:
> > uid=XXX,ou=People,dc=...
> > so i cant filter on dn.subtree or so (as far as i know).
> >
> > But then i dont know so much about ACLs...
> >
> > Can i filter for this, somehow? i imagine my filtering must
> > return real ldap entries which are allowed to be accessed, not
> > just one entry which contains the forbidden and allowd DNs (in
> > the member attribute of the groupOfNames groups)?
> 
> If you are looking for access control not based on subtrees but on
> entries you should try aci's.

this has become a issue again and still needs solving.

to clarify: 

members in group A can write to certain attributes of entries in group B.
members in group C can write to certain attributes of entries in group A and B.

the groups are hybrids of posixGroup and groupOfNames.

i use the debian packages, which dont have ACIs compiled in
(since they are experimental and about to change soon, i hear).
Especially the "changing" bit would be a pain since it might
break upgrades. I am not sure how recompilation of the package
(with ACIs enabled) would impact library compatibility.