Re: questions about acls.

[Adam Shand <larry@spack.org>]

> Luke Howard suggests making posixGroups auxiliary object classes to an
> actual groupOfNames oc.

would i do this by editing the nis.schema and changing the objectclass
definition of posixGroup from having "SUP top" to "SUP groupOfNames"?

what about just adding "member" to the "MAY list of posixGroup?  what are
the reprucussions i'm gonna have to deal with from messing with the
standard schema's?

> With this, there would be a "memberUid" as
> well as "member" for each person. The "group" in acls only work when
> the bound member's DN matches a member of that group, so you MUST
> implement groupOfNames. The same goes for "dnattr". You can use that
> but only for "owner" or "member" or another attribute whose syntax is
> a DN.

i assume there wouldn't be any problems with having a mixture of
posixGroups and groupOfNames in "ou=groups,dc=blah,dc=com"?  it seems a
litte messy but that way unix groups can be posixGroups and groups which i
want to reference in acl's can just be groupOfNames?

> In order to bind, I don't believe the user needs any access except
> auth. I could be wrong. It's a good idea to have an acl allowing full
> access to one's entry, and then another one denying them access to
> specific attributes you dont want them to modify (such as uid,
> uidNumber, etc...).

would it make sense to have the "defaultaccess" in the slapd.conf set to
auth and then allow greater privledge from there?

> Not sure how pam binds to the ldap server. might want to check slapd's
> logs. NSSLDAP doesn't deal with changing passwords. ldappasswd is for
> that purpose, though.

sorry i'm using the solaris 8 libraries not the padl.com ones.  i believe
(though i have yet to do it) that they provide for this via pam.

> There is a GOOD acl doc on the openldap faq-o-matic. it's under
> developer's guide and then slapd configuration.

ah got it, thanks i'd missed that.

> Heh. Anyway, hope this helps.

yes it does, thanks.
adam.