[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: posixgroup per user access rights

To: Tom Noonan II <tnoonan@iastate.edu>
Subject: Re: posixgroup per user access rights
From: Howard Chu <hyc@symas.com>
Date: Fri, 02 Dec 2005 01:59:21 -0800
Cc: openldap-software@OpenLDAP.org
In-reply-to: <5315211110543340@webmail.iastate.edu>
References: <5315211110543340@webmail.iastate.edu>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051201 SeaMonkey/1.5a

Tom Noonan II wrote:

Is there a way to do something similar to

       olcAccess: to attr=member,entry
             by dnattr=member selfwrite

but for posixgroups, not groupOfNames?

No. The ACL mechanism assigns privileges to LDAP users. In LDAP, users have DNs. posixGroup is an obsolete artifact of the short-sighted RFC2307 schema design. Proper LDAP clients use DNs (groupOfNames / member) and map DNs to POSIX account names for NSS usage; there's no good reason to keep using memberUid.

--
 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/

References:
- posixgroup per user access rights
  - From: "Tom Noonan II" <tnoonan@iastate.edu>

Prev by Date: Java & syncrepl/ldapsync
Next by Date: Re: refreshAndPersist speed
Index(es):
- Chronological
- Thread