[Date Prev][Date Next]
Re: Crazy ldap attribute release policy
Digant Kasundra wrote:
So no one wanted to take a stab at this problem? <sigh> :)
I guess no one is into "crazy" policies...
I'm trying to write a super weird ACL or looking for a better way to
handle the following problem:
Our UNIX systems query OpenLDAP to get gidNumber for people logging
in. One such gidNumber puts a person in the sysadmin group, but
people aren't not admins of all the servers, so that gidNumber
should only be released to certain servers.
Currently, the lookup is done with a SASL bind and a DN specific to
each machine. So, should I (and can I) make an ACL that says "in
the cn=accounts branch, release all attributes but only release
gidNumber=100 if the person asking is dn=omega." ??
You didn't specify what version of OpenLDAP you're asking about.
Try reading slapd.access(5).
access to attr=gidnumber val=100 by dn=omega read
You must of course be using a recent 2.2 release for the above to work.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support