[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: posixgroup and groupofnames
James Tran writes:
> i want to be able to make a group that is authorized to be admins to the
> ldap database but it seems i cant do it with posixgroups.
Strictly speaking the 'admin' is admin the rootdn given in slapd.conf.
But if you mean to give full read and write access:
You can use "sets". They are still marked experimental, but are
described in <http://www.openldap.org/faq/data/cache/1133.html>.
This is all written without testing, but it would be something like
this:
access to *
by set="user/uid & [cn=admins,cn=filegroups,dc=example,dc=com]/memberUid"
set="user/objectClass & [posixGroup]"
write
by ...
I.e. anyone with (a) an uid attribute matching a memberUid attribute in
the admin group + (b) a 'posixGroup' in objectClass.
However, note that if you grant access based on an attribute in the
user's entry then anyone with write access to that attribute in some
entry can add that entry to your admin group. E.g. if you add 'by self
write', anyone can add themselves to the group. And anyone who can add
an entry, can include an admin's uid in the entry.
If nobody can modify the uid attribute, that stops the former problem:
access to attrs=uid
by <the admin set above> write
by * read
If others can add entries, that acl doesn't keep them out. But if
e.g. only DNs below cn=users,dc=example,dc=com are admins and others
with add access can't add entries there, you could instead use
access to *
by dn.onelevel=cn=users,dc=example,dc=com
set="user/uid & [cn=admins,cn=filegroups,dc=example,dc=com]/memberUid"
set="user/objectClass & [posixGroup]"
write
by ...
An alternative is to construct the user's DN in the set:
by set="user & ([uid=]
+ [cn=admins,cn=filegroups,dc=example,dc=com]/memberUid
+ [,cn=users,dc=example,dc=com])"
or:
by set="(user & ([uid=]
+ [cn=admins,cn=filegroups,dc=example,dc=com]/memberUid
+ [,cn=users,dc=example,dc=com])
)/objectClass & [posixGroup]"
--
Regards,
Hallvard