[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: help with groups?

To: pll+ldap@lanminds.com
Subject: Re: help with groups?
From: Tony Earnshaw <tonni@billy.demon.nl>
Date: 30 Apr 2003 11:08:46 +0200
Cc: openldap-software@OpenLDAP.org
In-reply-to: <20030429204742.BFEAFF871@tater>
Organization:
References: <20030429175447.19D88F613@tater> <1051646859.32335.29.camel@localhost> <20030429204742.BFEAFF871@tater>

På ty , 29/04/2003 klokka 22:47, skreiv pll+ldap@lanminds.com:

>   Tony> You could have groupOfUniqueNames instead of groupOfNames, but
>   Tony> then you have to have uniqueMember instead of member.
> 
> What is the difference between groupOfUniqueNames and groupOfNames?
> Is it really just a matter of uniqueMember vs member, or are there 
> other implications?

I suppose that as default, you should use the 'unique' attributes. One
of the goodies that you get by using Openldap source to compile your own
material, is a bunch of rfcs to do with directory services, including
some X500 and X400 references.  rfc2294 defines a unique attribute as
one where that can't be mapped back to a different X400 O/R name and
gives examples. Kurt could say more about whether that's still relevant
or not, since he wrote rfc2294 :)

> I stumbled across the groupOfUniqueNames method at the tutorial site 
> someone else mentioned earlier today, and that seemed to be what I tributes
> wanted.  Now I'm not sure.

Nor am I. Both should work, as long as one wasn't using X400 naming
anywhere.

>   Tony> So, your: cn=John J Jones,ou=people,dc=foo,dc=bar would fit
>   Tony> into that pattern.
> 
> Are you saying that this cn style fits into the groupOfUniqueNames 
> pattern rather than the groupOfNames pattern?

No.

>  Is that because
> I'm not making 'ou=groups' part of everyone's dn as you do?

Yes.

> Also, how do assign "ownership" to a group or 
> branch, such that someone has access rights to that branch and the 
> entire sub-tree?

Why not try it with ACLs and say what doesn't work? There's masses of
stuff in the archives for this list, going back, and people are in
disagreement about what works for them - or can't make it work at all.
It all needs getting used to. You'd do best to keep up to recent
Openldap releases, though.

Here's something adapted out of 'man slapd.access' from 2.17, slightly
adapted. In this case, peoplemanagers isn't supposed to have access to
the ou=people entry itself, just its subentries. (it works for me, I
just tried it :):

access to dn.subtree="ou=people,ou=groups,dc=example,dc=com"
  by group="cn=peoplemanagers,ou=people,ou=groups,dc=example,dc=com"
write
  by self write

But this works too, using a regex (I just tried it):

access to dn="cn=([^,]+),ou=people,ou=groups,dc=example,dc=com"
  attrs=entry,children
  by group="cn=peoplemanagers,ou=people,ou=groups,dc=example,dc=com"
write
  by dn="cn=$1,ou=people,ou=groups,dc=example,dc=com" write

So, what's best? Basically whatever works in your particular situation.
It's said that for large sites regexes should be avoided, since they
slow things down. However, you can often realize a lot with regexes that
you can't without them. DN styles (dn.subtree and suchlike) don't work
with regexes, but as you see, you can include them as pseudo attributes.

BTW, there's a wrong entry in the ldif I gave you. ou=peoplemanagers
should be cn=.

Best,

Tony




-- 
Tony Earnshaw

Do not come to visit me with both arms the same length.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl

Tony Earnshaw

Follow-Ups:
- Re: help with groups?
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- help with groups?
  - From: pll+ldap@lanminds.com
- Re: help with groups?
  - From: Tony Earnshaw <tonni@billy.demon.nl>
- Re: help with groups?
  - From: pll+ldap@lanminds.com

Prev by Date: Re: OpenLDAP on a Private IP
Next by Date: Re: help with groups?
Index(es):
- Chronological
- Thread