Re: Schema Design :: ACL on Groups by Group Members only

[Dieter Kluenter <dieter@dkluenter.de>]

Am Thu, 17 Mar 2011 12:01:15 -0700
schrieb sim123 <Sim3159@gmail.com>:

> Hi There,
> 
> I want "n" number of groups (or similar structure which keeps member
> information) to be created and only group members have access to those
> groups. Members are defined in separate user branch so my DIT look
> like
> 
> dc=example,dc=com
> +--ou=people,dc=example,dc=com
> +----uid=bjanson,ou=users,dc=example,dc=com
> +----uid=matt,ou=users,dc=example,dc=com
> +--cn=group1,dc=example,dc=com (groupOfNames)
> +----cn=subgroup1,dc=example,dc=com (groupOfNames)
> 
> now users bjanson and matt are member of group1, only bjanson is
> member of subgroup1. I would like to have ACL defined so only members
> can access their group. I don't need any ACL on subgroup as long as
> only all members of parent group can access it.
> 
> Is it possible to do that in generic form because basic ACL syntax
> needs dn/filter in "access to " clause. In my example if I have n
> groups I will end up having n access control syntax in slapd.conf,
> which doesn't sound a good idea.
> 
> Also, I don't need to use groups as such but groupOfNames/ groupOd
> UniqueNames are the only classes which support member attribute.
> Please let me know if there is any other objectClass I should use.
> 
> Thanks for all the help and support, I appreciate it very much.

You may use the almost undocumented access control by sets
http://www.openldap.org/faq/data/cache/1133.html
http://www.openldap.org/faq/data/cache/1134.html
This documents provide some examples.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53°37'09,95"N
10°08'02,42"E