[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: group access "write" in OpenLDAP 2.1.4
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Tony Earnshaw
> > access to *
> > by group="cn=administrators,dc=example,dc=com" write
> > by * auth
>
> I have a group, peoplemanagers, that has *limited* rights to change
> certain attributes of members of a local group. These attributes are
> personal details, such as phone number, password etc.
>
> This is the relevant line from my ACL, it works :-) This is on a single
> line:
>
> by group="cn=peoplemanagers,ou=groups,dc=billy,dc=demon,dc=nl"
> dnattr=member write
This doesn't look right to me, but I'm not sure I understand the example. It
sounds to me like you have a group "cn=local group,dc=example,dc=com" and you
have another group "cn=peoplemanagers,dc=example,dc=com" and you're saying
that the members of "peoplemanagers" are allowed to modify attributes on the
members of "local group."
There is no facility that lets you specify members of a group as the target
of an ACL. It might be nice to say "access to group=foo by group=bar write"
but slapd doesn't support this.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support