[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: posixgroup and groupofnames

James Tran writes:
> i want to be able to make a group that is authorized to be admins to the
> ldap database but it seems i cant do it with posixgroups.

Strictly speaking the 'admin' is admin the rootdn given in slapd.conf.
But if you mean to give full read and write access:

You can use "sets".  They are still marked experimental, but are
described in <http://www.openldap.org/faq/data/cache/1133.html>.

This is all written without testing, but it would be something like

access to *
  by set="user/uid & [cn=admins,cn=filegroups,dc=example,dc=com]/memberUid"
     set="user/objectClass & [posixGroup]"
  by ...

I.e. anyone with (a) an uid attribute matching a memberUid attribute in
the admin group + (b) a 'posixGroup' in objectClass.

However, note that if you grant access based on an attribute in the
user's entry then anyone with write access to that attribute in some
entry can add that entry to your admin group.  E.g. if you add 'by self
write', anyone can add themselves to the group.  And anyone who can add
an entry, can include an admin's uid in the entry.

If nobody can modify the uid attribute, that stops the former problem:
  access to attrs=uid
    by <the admin set above> write
    by * read

If others can add entries, that acl doesn't keep them out.  But if
e.g. only DNs below cn=users,dc=example,dc=com are admins and others
with add access can't add entries there, you could instead use

access to *
  by dn.onelevel=cn=users,dc=example,dc=com
     set="user/uid & [cn=admins,cn=filegroups,dc=example,dc=com]/memberUid"
     set="user/objectClass & [posixGroup]"
  by ...

An alternative is to construct the user's DN in the set:
  by set="user & ([uid=]
                  + [cn=admins,cn=filegroups,dc=example,dc=com]/memberUid
                  + [,cn=users,dc=example,dc=com])"
  by set="(user & ([uid=]
                   + [cn=admins,cn=filegroups,dc=example,dc=com]/memberUid
                   + [,cn=users,dc=example,dc=com])
           )/objectClass & [posixGroup]"