[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs by netgroup?



On Mon, 6 Feb 2006, samuel gipe wrote:

>In the "by who" portion of the ACL, I see that you can specify DNs by using
>groups (with the syntax below).   If the same capability existed for the "to
>what" portion of the ACL, it would be very convenient/useful (albeit more than
> what rfc2254 outlines).


I think this is the limitation you're going to run up against.

The 'to what' specification of the ACLs is too limiting for what you are
trying to do and you're trying to use the groupofnames thing in reverse,
sort of.  I think you'd be better off using access control based on
attributes in the entries themselves so you can do something like

access to attrs=userPassword
 by self write
 by dnattr=manager write

Then add the inetOrgPerson object class to all of your people and set the
manager attribute to the dn of the person allowed to change their
password.

-- 
Eric Irrgang - UT Austin ITS Unix Systems - (512)475-9342