Re: set ACL specification/syntax

[Howard Chu <hyc@symas.com>]

Andrew Cobaugh wrote:
> On Fri, Mar 6, 2009 at 4:10 PM, Quanah Gibson-Mount<quanah@zimbra.com>  wrote:
> > If you set the cn value on every group they are supposed to be able to write
> > to, then they'll be able to write to any of those groups.  I.e., "this/cn"
> > is the group entry in question.  I'm assuming you want them to be able to
> > write to any group they have control of.  If you don't, then simply remove
> > the cn=uid value from the group.
>
> Perhaps I didn't articulate my point well enough.
>
> I want them to be able to *create* these entries on their own, they
> won't be pre-created. So, I want them to be able to create entries
> under ou=group but only if they are of the form uid:.+

access to dn.exact="ou=group,dc=domain" attrs=children
	by users write
access to dn.regex="cn=(.*):.*,ou=group,dc=domain"
	by set.expand="$1 & user/uid" write

You'll also need to use OpenLDAP 2.4.13 or newer, to control who can add 
entries. (See slapd-config(5), olcAddContentAcl)

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/