Re: Recursive access control for groups

["Alina Dubrovska" <alina.second@gmail.com>]

Gavin,

 

Thank you for reply and suggestion about support services!

However, I'm looking forward that somebody from the list is familiar with sets syntax for defining an ACL and would be able to determine if ACL like this is correct:

 

access to attrs=employeeType,employeeNumber
        by self write
        by set="[cn=System Administrator,ou=groups,dc=domain,dc=com]/uniqueMember* & user" write
        by * read

So, we have a parent group (groupOfUniqueNames, "System Administrator") and all members should be granted access permission to modify specific attributes. Then we need to have ability to add new child groups in runtime, so that all child group members would be automatically granted the same set of permissions as parent group. Without modifying slapd.conf and restarting server of course.

 

Probably there is some important nuance with sets syntax or maybe there is any another alternative solution?

 

Because as I mentioned, with stated ACL we have performance issues on one OpenLDAP instance and fatal crash on another...

 

 

Regards,

Alina.

 

 

On Dec 7, 2007 1:46 AM, Gavin Henry <ghenry@suretecsystems.com> wrote:

 > That is very urgent and critical for our project, we really need to
> solve this problem as soon as possible!
> Please help!!!
>

http://www.openldap.org/support/ for urgent things.

Most people on these lists use their spare time.