[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: apping ACLs to groupmembers

To: openldap-software@OpenLDAP.org
Subject: Re: apping ACLs to groupmembers
From: Dieter Kluenter <dieter@dkluenter.de>
Date: Sat, 17 Jan 2004 17:31:16 +0100
In-reply-to: <20040117140657.GA31066@petrus.schuldei.org> (Andreas Schuldei's message of "Sat, 17 Jan 2004 15:06:57 +0100")
References: <20040117140657.GA31066@petrus.schuldei.org>
User-agent: Gnus/5.1001 (Gnus v5.10.1) XEmacs/21.4 (Portable Code, linux)

Hi,

Andreas Schuldei <andreas@schuldei.org> writes:

> i have (posixAccount)-users and (groupOfNames AND
> posixGroup)-groups in my ldap directrory. Now i want to enable
> users in one group (junior admins) to edit the userPassword files
> for everyone in an other group (students) but not other groups
> (like teachera and admins).
>
> i have read up on ACLs and look for a way to write that ACL
> entry. the DNs of students, teachers and admins look alike:
> uid=XXX,ou=People,dc=...
> so i cant filter on dn.subtree or so (as far as i know).
>
> But then i dont know so much about ACLs...
>
> Can i filter for this, somehow? i imagine my filtering must
> return real ldap entries which are allowed to be accessed, not
> just one entry which contains the forbidden and allowd DNs (in
> the member attribute of the groupOfNames groups)?

If you are looking for access control not based on subtrees but on
entries you should try aci's.

http://www.openldap.org/faq/data/cache/634.html

-Dieter

-- 
Dieter Kluenter  | Systemberatung
Tel:040.64861967 | Fax: 040.64891521
mailto: dkluenter(at)dkluenter.de
http://www.avci.de

References:
- apping ACLs to groupmembers
  - From: Andreas Schuldei <andreas@schuldei.org>

Prev by Date: apping ACLs to groupmembers
Next by Date: Re: sql-backend
Index(es):
- Chronological
- Thread