[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Group membership ACLs

Hi Jerry!

If you're using groupOfNames or groupOfUniqueNames you have to put the full DN of the user's object in the member/uniqueMember attributes.

After that you have to enable support for RFC2307bis to tell nssldap to use the member/uniqueMember-stuff and you'll have to use the schema defined in RFC2307bis.

BTW: That's the only way to get this working, because OpenLDAP will tell you, that you can't create the posixGroup-Objects, because they're STRUCTURAL. And groupOfNames or groupOfUniqueNames are STRUCTURAL too. RFC2307bis defines posixGroup AUXILIARY and you have to use a structural class like groupOfNames or groupOfUniqueNames. I think that groupOfUniqueNames fits better than groupOfNames.

With this you won't have redundancy in your objects. But there's a problem: groupOfUniqueNames defines uniqueMember as MUST-attribute. So you have to define at least one user in every group you're creating...

Hope this helps.


Jerry Haltom schrieb:
I have a group object, cn=admins,ou=groups,dc=feedbackplusinc,dc=com.
It is of objectClass posixGroup. It is used for unix authentication and
such. Understandable. Members are listed in it by user id, in the
memberUid attribute.

I want to create a regular expression ACL to assign a certain right when
binding as an object whose uid attribute is contained in this admins

Basically, group permissions on ACLs.

I also want to avoid hopefully creating duplicate items, or duplicate
user listings. It would be nice to have this one memberUid attribute all
that needs to be modified to add somebody into the group.

Is this doable? I looked into groupOfNames, but was unable to get it to
work. I was thinking a regular expression might be more appropiate. Has
anybdoy managed to accomplish this?


Jerry Haltom
Feedback Plus, Inc.