[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL and groups

To: Emmanuel JEGOU <Emmanuel.Jegou@naonet.fr>
Subject: Re: ACL and groups
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Thu, 01 Jul 1999 11:20:07 -0700
Cc: openldap-software <openldap-software@OpenLDAP.org>
In-reply-to: <377B4038.22F9E8C9@naonet.fr>

At 12:17 PM 7/1/99 +0200, Emmanuel JEGOU wrote:
> Hello,
>
>I have persons under the entry "ou=people,o=Naonet Company,c=fr" who are
>identified by their 'cn'.
>All of them have a 'businesscategory' attribut and I would like to grant
>access to the persons who belong to the same 'businesscategory' by a
>group of persons. This group is identified by a 'groupOfUniqueNames'
>objectClass and each unique member could access to people who belong to
>the specified 'businesscategory' attribut. The group is located on :
>"cn=Staff Administration Group,ou=Administrations Groups,o=Naonet
>Company,c=fr".
>
>The dnattr specification can be use only if the uniquemember attribut is
>in the entry to which the access applies.
>
>Is there something that could do this ?

Yes.

>With the Netscape Directory, I know there is the groupdn option in an
>'aci' attribut, but is there an equivalent in OpenLDAP ?

Yes, group ACLs (http://www.openldap.org/faq/index.cgi?file=52)

Ignoring the 'businesscategory' requirement, you could have
one rule:

access to dn=".*,ou=people,o=Naonet Company,c=fr" 
    by group="cn=Staff Administration Group,ou=Administrations Groups,o=Naonet
Company,c=fr" write
    by * none

Now, say you have two businesscategories X and Y and groups X and Y to
admin'ed them, respectively.  You minimally need two rules.... 
I would think something like the following might work.

# X rule
access to dn=".*,ou=people,o=Naonet Company,c=fr" filter="(businesscategory=X)"
    by group="cn=X Administration Group,ou=Administrations Groups,o=Naonet
Company,c=fr" write
    by * none

# Y rule
access to dn=".*,ou=people,o=Naonet Company,c=fr" filter="(businesscategory=Y)"
    by group="cn=Y Administration Group,ou=Administrations Groups,o=Naonet
Company,c=fr" write
    by * none

(They would be added ABOVE the first example)

Now, I said "minimally" because this might not give you the behavior
you desire... businesscategory might be multivalued or may not exist
or may not have a value X or Y.  I recommend avoiding ACLs with
attribute content "what" clauses. 

Kurt

Follow-Ups:
- Re: ACL and groups
  - From: Emmanuel JEGOU <Emmanuel.Jegou@naonet.fr>

References:
- ACL and groups
  - From: Emmanuel JEGOU <Emmanuel.Jegou@naonet.fr>

Prev by Date: Re: ACL filters
Next by Date: Re: attribute alias problem
Index(es):
- Chronological
- Thread