Re: Strange ACL request

[Jerry Haltom <wasabi@larvalstage.net>]

"by group.base" was exactly what I was looking for. Thank you very much.


On Wed, 2003-04-16 at 19:17, Quanah Gibson-Mount wrote:
> --On Wednesday, April 16, 2003 6:42 PM -0500 Jerry Haltom 
> <wasabi@larvalstage.net> wrote:
> 
> > Would it be possible to assign a ACL by member of group in ldap.
> >
> > This seems hard to explain
> >
> > gid=admins,ou=groups,dc=feedbackplusinc,com
> > memberUid: jhaltom
> > memberUid: lburton
> >
> > I would want both uid=jhaltom,ou=users,dc=feedbackplusinc,dc=com as well
> > as the same with lburton to have higher permissions. I don't want to
> > specify these users specifically in the slapd.conf.
> >
> > I was wondering if this kind of regular expression, substitution,
> > whatever, is possible in a OpenLDAP 2.1 ACL?
> 
> Yes, although lburton would simply be in an ACL group with higher 
> permissions, not in both locations.
> 
> We use that right now @ Stanford for our ldapAdmins group.
> 
> Something like:
> 
> dn: cn=admins,ou=groups,dc=feedbackplusinc,dc=com
> objectClass: groupOfNames
> cn: ldapAdmin
> member: uid=jhaltom,ou=users,dc=feedbackplusinc,dc=com
> <other ldapadmin members>
> 
> Then in your slapd.ACL file
> 
> access to *
> 	by group.base="cn=admins,ou=groups,dc=feedbackplusinc,dc=com" read
> 	by * break
> 
> --Quanah
> 
> 
> 
> --
> Quanah Gibson-Mount
> Senior Systems Administrator
> ITSS/TSS/Computing Systems
> Stanford University
> GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
>