[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Crazy ldap attribute release policy

Digant Kasundra wrote:

So no one wanted to take a stab at this problem? <sigh> :)

I guess no one is into "crazy" policies...

Hello everyone,
I'm trying to write a super weird ACL or looking for a better way to
handle the following problem:
Our UNIX systems query OpenLDAP to get gidNumber for people logging
in. One such gidNumber puts a person in the sysadmin group, but
people aren't not admins of all the servers, so that gidNumber
should only be released to certain servers.
Currently, the lookup is done with a SASL bind and a DN specific to
each machine. So, should I (and can I) make an ACL that says "in
the cn=accounts branch, release all attributes but only release
gidNumber=100 if the person asking is dn=omega." ??

You didn't specify what version of OpenLDAP you're asking about. Try reading slapd.access(5).

	access to attr=gidnumber val=100 by dn=omega read

You must of course be using a recent 2.2 release for the above to work.
  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support