RE: help with groups?

["Ron Wahler" <ron@rovingplanet.com>]

How do you create the initial top level directory structure for
GroupOfNames or can you just add it after you setup the root and
sub-directories?





There are different ways of making different kinds of groups for
different purposes. Here's one (of about 3) that I use:

dn: cn=peoplemanagers,ou=people,ou=groups,dc=example,dc=com
objectClass: top
objectClass: groupOfNames
cn: peoplemanagers
ou: ou=peoplemanagers,ou=groups,dc=example,dc=com
member: cn=bill,ou=people,ou=groups,dc=example,dc=com
member: cn=pete,ou=people,ou=groups,dc=example,dc=com
member: cn=mary,ou=people,ou=groups,dc=example,dc=com

You could have groupOfUniqueNames instead of groupOfNames, but then you
have to have uniqueMember instead of member.

So, your: cn=John J Jones,ou=people,dc=foo,dc=bar would fit into that
pattern.

The fun comes when giving the group rights in your ACLs. Say you want to
let them and the respective "owner" change passwords:

access to dn="dc=example,dc=com"
  attr=userPassword
  by group="cn=peoplemanagers,ou=people,ou=groups,dc=example,dc=com"
write
  by self write
  by anonymous auth

(each of the above lines should be written /without/ line breaks, on a
single line.)

Which is relatively easy. But it gets worse in the case of whole DNs and
subtrees under them to which the group has to have rights, and where you
have to start using regexes to make it work. However, try the above
first :)

Best,

Tony

-- 
Tony Earnshaw

Do not come to visit me with both arms the same length.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl

Tony Earnshaw