[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Strange ACL request

To: "'Jerry Haltom'" <wasabi@larvalstage.net>, <openldap-software@OpenLDAP.org>
Subject: RE: Strange ACL request
From: "Howard Chu" <hyc@highlandsun.com>
Date: Wed, 16 Apr 2003 17:13:14 -0700
Importance: Normal
In-reply-to: <1050536551.2887.12.camel@station-1>

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Jerry Haltom

> Would it be possible to assign a ACL by member of group in ldap.
>
> This seems hard to explain
>
> gid=admins,ou=groups,dc=feedbackplusinc,com
> memberUid: jhaltom
> memberUid: lburton
>
> I would want both
> uid=jhaltom,ou=users,dc=feedbackplusinc,dc=com as well
> as the same with lburton to have higher permissions. I don't want to
> specify these users specifically in the slapd.conf.
>
> I was wondering if this kind of regular expression, substitution,
> whatever, is possible in a OpenLDAP 2.1 ACL?

It looks like you're using RFC2307. For the most part, the OpenLDAP ACL
engine only operates on identities that are expressed as distinguished names,
so it won't recognize those memberUids. You should use RFC2307bis instead,
which uses DNs for group members instead of uids.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

References:
- Strange ACL request
  - From: Jerry Haltom <wasabi@larvalstage.net>

Prev by Date: RE: Ldap authentication
Next by Date: Re: Strange ACL request
Index(es):
- Chronological
- Thread