Re: Recursive access control for groups

[Andreas <ahasenack@terra.com.br>]

On Fri, Dec 07, 2007 at 10:27:04AM +0200, Alina Dubrovska wrote:
> Gavin,
> 
> Thank you for reply and suggestion about support services!
> However, I'm looking forward that somebody from the list is familiar with
> sets syntax for defining an ACL and would be able to determine if ACL like
> this is correct:
> 
> *access to attrs=employeeType,employeeNumber
>         by self write
>         by set="[cn=System
> Administrator,ou=groups,dc=domain,dc=com]/uniqueMember* & user" write
>         by * read*
> 
> So, we have a parent group (groupOfUniqueNames, "System Administrator") and
> all members should be granted access permission to modify specific
> attributes. Then we need to have ability to add new child groups in runtime,
> so that all child group members would be automatically granted the same set
> of permissions as parent group. Without modifying slapd.conf and restarting
> server of course.
> 
> Probably there is some important nuance with sets syntax or maybe there is
> any another alternative solution?
> 
> Because as I mentioned, with stated ACL we have performance issues on one
> OpenLDAP instance and fatal crash on another...

I used recursive groups once with sets, but not for enough time to
measure the performance. Do you have all needed attributes properly
indexed?

Also, it's usually advised against the use of uniqueMember and
groupOfUniqueMembers for groups. Better to use groupOfNames and member
instead. But I suppose it's not related to the crash.