[Date Prev][Date Next]
Re: Group membership ACLs
If you're using groupOfNames or groupOfUniqueNames you have to put the
full DN of the user's object in the member/uniqueMember attributes.
After that you have to enable support for RFC2307bis to tell nssldap to
use the member/uniqueMember-stuff and you'll have to use the schema
defined in RFC2307bis.
BTW: That's the only way to get this working, because OpenLDAP will tell
you, that you can't create the posixGroup-Objects, because they're
STRUCTURAL. And groupOfNames or groupOfUniqueNames are STRUCTURAL too.
RFC2307bis defines posixGroup AUXILIARY and you have to use a structural
class like groupOfNames or groupOfUniqueNames. I think that
groupOfUniqueNames fits better than groupOfNames.
With this you won't have redundancy in your objects. But there's a
problem: groupOfUniqueNames defines uniqueMember as MUST-attribute. So
you have to define at least one user in every group you're creating...
Hope this helps.
Jerry Haltom schrieb:
I have a group object, cn=admins,ou=groups,dc=feedbackplusinc,dc=com.
It is of objectClass posixGroup. It is used for unix authentication and
such. Understandable. Members are listed in it by user id, in the
I want to create a regular expression ACL to assign a certain right when
binding as an object whose uid attribute is contained in this admins
Basically, group permissions on ACLs.
I also want to avoid hopefully creating duplicate items, or duplicate
user listings. It would be nice to have this one memberUid attribute all
that needs to be modified to add somebody into the group.
Is this doable? I looked into groupOfNames, but was unable to get it to
work. I was thinking a regular expression might be more appropiate. Has
anybdoy managed to accomplish this?
Feedback Plus, Inc.