[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Letting Users Create Groups

To: openldap-technical@openldap.org
Subject: Re: Letting Users Create Groups
From: Christian Manal <moenoel@informatik.uni-bremen.de>
Date: Thu, 17 Mar 2011 18:27:34 +0100
In-reply-to: <1028607968.2292.1300381680882.JavaMail.root@mail-01.cse.ucsc.edu>
References: <1028607968.2292.1300381680882.JavaMail.root@mail-01.cse.ucsc.edu>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9

Am 17.03.2011 18:08, schrieb Tim Gustafson:
> Hi,
> 
> I'd like to let users create posixGroup objects, but I don't want them to be able to pick a gidNumber that is already in use, or that is less than 1000 or greater than 10000, and I only want the groups to be created in the ou=Group,dc=example,dc=com container.
> 
> Is this possible with OpenLDAP ACLs?
> 


Hi,

to prevent gidNumber duplicates you probably need slapo-unique. ACLs
along these lines should do the rest:


access to dn.exact="ou=group,dc=example" attrs=children
   by users write

access to dn.sub="ou=group,dc=example" attrs=entry
 filter="(&(objectClass=posixAccount)(gidNumber>=1000)(gidNumber<=1000)"
   by users add


Regards,
Christian Manal

Follow-Ups:
- Re: Letting Users Create Groups
  - From: Tim Gustafson <tjg@soe.ucsc.edu>
- Re: Letting Users Create Groups
  - From: Tim Gustafson <tjg@soe.ucsc.edu>

References:
- Letting Users Create Groups
  - From: Tim Gustafson <tjg@soe.ucsc.edu>

Prev by Date: Re: OpenLDAP 2.4.23 hangs when creating new group objects
Next by Date: Schema Design :: ACL on Groups by Group Members only
Index(es):
- Chronological
- Thread