[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL assistance needed ...

To: Anthony Brock <abrock@georgefox.edu>
Subject: Re: ACL assistance needed ...
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Sun, 18 Jun 2000 08:12:26 -0700
Cc: openldap-software@OpenLDAP.org
In-reply-to: <4.2.2.20000615071513.00a7c820@localhost>

At 07:35 AM 6/15/00 -0700, Anthony Brock wrote:
>We have been creating all our groups and individuals with an element called 
>'owner'.  Our intention with this element is to enable the members of any 
>groups listed as owners of an object to completely administrate/change 
>aspects of the subject objects.

OpenLDAP 1.x doesn't support such.  It supports dnattr=owner,
but owner must contain DN of authenticated users access is to
be granted to.  It supports groups, but groups must be specified
(by regex) in the configuration file.  What you want is
grattr=owner... which doesn't exist (yet).


>For example, if I have:
>
>cn=Building Monitor,o=George Fox University,c=US
>cn=Building Monitor
>owner=cn=Building Monitor Administrators,o=George Fox University,c=US
>member=cn=User One,o=George Fox University,c=US
>member=cn=User Two, o=George Fox University, c=US

Note that in older versions of OpenLDAP had a bug which required
member attribute values to be normalized (no spaces commas).  Was
fixed in 1.2.11.

>objectclass=top
>objectclass=groupOfNames
>
>cn=Building Monitor Administrators,o=George Fox University,c=US
>cn=Building Monitor Administrators
>owner=cn=Administrators,o=George Fox University,c=US
>member=cn=Andy Administrator,o=George Fox University,c=US
>objectclass=top
>objectclass=groupOfNames
>
>I would like members of group 'cn=Administrators,o=George Fox 
>University,c=US' (not shown above) to be able to administrate 
>(add/delete/modify members of) group 'cn=Building Monitor 
>Administrators,o=George Fox University,c=US', and I would THEN like members 
>of 'cn=Building Monitor Administrators,o=George Fox University,c=US' to be 
>able to administrate the group 'cn=Building Monitor,o=George Fox 
>University,c=US'.
>
>As a work around, I have temporarily implemented each 'administration' 
>group with the name of the owned group + ' Administrators' in the DN of the 
>object.  Unfortunately, this will only allow one group to administrate one 
>other group.  How do I build the ACL to do this?
>
>And before I forget, the ACL in the FAQ I had to tweak to get functioning 
>looked like:
>
>access to dn="cn=[^,]+,o=[^,]+,c=[^,]+" attrs=member by group="cn=$1 
>Administrators,o=$2,c=$3" write
>
>but had to be changed to:
>
>access to dn="cn=([^,]+),o=([^,]+),c=([^,]+)" attrs=member by group="cn=$1 
>Administrators,o=$2,c=$3" write
>
>This was on my Sun Sparc with Solaris 2.7 and OpenLDAP 1.2.11.
>
>Tony
>******************************************************************************
>* Anthony Brock                                         abrock@georgefox.edu *
>* Director of Network Services                         George Fox University *
>******************************************************************************
>-----BEGIN PGP SIGNATURE-----
>Version: PGPfreeware 6.5.1 Int. for non-commercial use <http://www.pgpinternational.com>
>
>iQA/AwUBOUjpwRuaxl/7L1qlEQK2vwCdHBt1IuW82sHxHomtgUEuPKkE8eQAn3BP
>ZWIB7tmyckojq3WpLHlOFPxQ
>=VLKR
>-----END PGP SIGNATURE-----
>
>

References:
- ACL assistance needed ...
  - From: Anthony Brock <abrock@georgefox.edu>

Prev by Date: Re: ACI problems...
Next by Date: Re: basedn is unable to see OUs
Index(es):
- Chronological
- Thread