[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Recursive access control for groups

To: "Alina Dubrovska" <alina.second@gmail.com>
Subject: Re: Recursive access control for groups
From: "Gavin Henry" <ghenry@suretecsystems.com>
Date: Fri, 7 Dec 2007 13:59:20 -0000 (GMT)
Cc: openldap-software@openldap.org
Importance: Normal
Openpgp: id=796B1E87DB73BEA8
User-agent: SquirrelMail/1.4.11-1.fc8

<quote who="Alina Dubrovska">
> Gavin,
>
> Thank you for reply and suggestion about support services!
> However, I'm looking forward that somebody from the list is familiar with
> sets syntax for defining an ACL and would be able to determine if ACL like
> this is correct:
>
> *access to attrs=employeeType,employeeNumber
>         by self write
>         by set="[cn=System
> Administrator,ou=groups,dc=domain,dc=com]/uniqueMember* & user" write
>         by * read*

Switch on ACL debugging and run slapd by hand to check.

>
> So, we have a parent group (groupOfUniqueNames, "System Administrator")
> and
> all members should be granted access permission to modify specific
> attributes. Then we need to have ability to add new child groups in
> runtime,
> so that all child group members would be automatically granted the same
> set
> of permissions as parent group. Without modifying slapd.conf and
> restarting
> server of course.
>
> Probably there is some important nuance with sets syntax or maybe there is
> any another alternative solution?
>
> Because as I mentioned, with stated ACL we have performance issues on one
> OpenLDAP instance and fatal crash on another...

Sets are somewhat experimental.

Well crashes shouldn't happen, so that should be a bug report via
http://www.openldap.org/its.

Please read http://www.openldap.org/doc/admin24/troubleshooting.html for
submitting proper bug reports.

Prev by Date: Re: chain and ppolicy question
Next by Date: Re: size limit by ip?
Index(es):
- Chronological
- Thread