[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Two-level groups

Andris.Eiduks@tietoenator.com wrote:

Can I use two lewel of groups for flexible rights sharing to users ?

Example :

dn: cn=test1, ou=grupas, ou=roles, ou=tm objectClass: groupOfNames description: 1 testa grupa member: cn=test2,ou=grupas,ou=roles,ou=tm cn: test1

dn: cn=test2, ou=grupas, ou=roles, ou=tm objectClass: groupOfNames description: 2 testa grupa cn: test2 member: uid=eiduks,ou=users,ou=tm

dn: uid=eiduks, ou=users, ou=tm userPassword:: .... uid: eiduks objectClass: inetOrgPerson sn: Eiduks cn: Andris Eiduks

access to dn.exact="ou=mnuLinks,ou=mnuAMM,ou=ui,ou=cl,ou=components,ou=tm" by group="cn=test1,ou=grupas,ou=roles,ou=tm" read by * none

No, it's not possible; actually, yes, something like that is possible using dynamic groups (builtin for ACL checking; need slapo-dyngroup(5) or slapo-dynlist(5) for more general use). You need to use groupOfURLs/memberURL instead of groupOfNames/member, and each memberURL must represent a search that selects portions of the members of the dynamic group.