[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
User managed groups - ACLs
Hi list,
I am currently trying to make it possible for ordinary users to manage
their own groups in the following way:
1 Any user can create new groups ("groupOfNames").
1.1 On creation, the creator is set to be the first member and
manager of the group (the latter is defined as a single-value
attribute (UDBgrpAdmin) for a self defined auxiliary objectClass
"UDBgrp").
1.2 Some names should be prohibited from being used for new groups.
2 Group managers can invite any user to the group by adding their DN
to the invited list of the group (UDBgrpInvited) and revoke
invitations by removing DNs from said list.
2.1 Group managers can kick members from the group.
2.2 Group managers can delete the group.
2.3 Group managers can assign a new manager who has to be a member of
the group.
2.4 Group managers can (re)set a description for the group.
3 Invited users can accept or decline the invitation, i.e. remove
themselves from the invite list and add themselves to the member
list.
4 Group members can leave the group permanently or temporarily. The
latter is achieved by moving themselves from the member list to a
suspended list (UDBgrpSuspended) which allows them to rejoin the
group later (i.e. move themselves back to the member list) without
a new invitation.
I have most of the above covered, but I'm struggling with the points
1.1, 2.3 and to some extend 1.2.
1.1 and 2.3: I have no idea if this is even possible, let alone how to
achieve it.
1.2: By extending the 'filter' rule that limits the objectClasses for
new entries in "ou=Group" I can make a blacklist for 'cn' values, but
I'd rather have something in the DIT itself, so I can modify the list
without meddling with the server config. This is optional, though, since
I don't except the list to change very often.
This is what I've got so far:
<http://openldap.pastebin.com/n8P4eKvU>
Any help would be appreciated.
Regards,
Christian Manal