[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Two-level groups

To: Andris.Eiduks@tietoenator.com
Subject: Re: Two-level groups
From: Pierangelo Masarati <ando@sys-net.it>
Date: Mon, 22 Jan 2007 18:39:21 +0100
Cc: openldap-software@openldap.org
In-reply-to: <1FABB43D1E997C49B412A3008386ADB90262DDE5@dino.eu.tieto.com>
References: <1FABB43D1E997C49B412A3008386ADB90262DDE5@dino.eu.tieto.com>
User-agent: Thunderbird 1.5.0.8 (X11/20061025)

Andris.Eiduks@tietoenator.com wrote:

Hi,

Can I use two lewel of groups for flexible rights sharing to users ?

Example :


dn: cn=test1, ou=grupas, ou=roles, ou=tm
objectClass: groupOfNames
description: 1 testa grupa
member: cn=test2,ou=grupas,ou=roles,ou=tm
cn: test1


dn: cn=test2, ou=grupas, ou=roles, ou=tm
objectClass: groupOfNames
description: 2 testa grupa
cn: test2
member: uid=eiduks,ou=users,ou=tm


dn: uid=eiduks, ou=users, ou=tm
userPassword:: ....
uid: eiduks
objectClass: inetOrgPerson
sn: Eiduks
cn: Andris Eiduks


access to
dn.exact="ou=mnuLinks,ou=mnuAMM,ou=ui,ou=cl,ou=components,ou=tm"
        by group="cn=test1,ou=grupas,ou=roles,ou=tm" read
        by * none

No, it's not possible; actually, yes, something like that is possible using dynamic groups (builtin for ACL checking; need slapo-dyngroup(5) or slapo-dynlist(5) for more general use). You need to use groupOfURLs/memberURL instead of groupOfNames/member, and each memberURL must represent a search that selects portions of the members of the dynamic group.

p.

References:
- Two-level groups
  - From: <Andris.Eiduks@tietoenator.com>

Prev by Date: Re: refreshAndPersist and Monitor -> slapd core dump
Next by Date: pesky ppolicy problems
Index(es):
- Chronological
- Thread