[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL for members of PosixGroup?

Don Hoover wrote:
I was wondering if there was a way to write an ACL for
a members of the PosixGroup.

I have a simple directory structure of: ou=People,o=myorg (with posixusers) ou=Group,o=myorg (with posixgroups)

I would like to create an ACL that allows users who have a gidNumber of X(say 101) that matches our systems admin group to have write access. And I guess one point is that they are not listed indivudually as "memberOf" entries in the ou=Group cn, they just have a gidNumber that matches a group in there.

I tried:

by group="cn=sysads,ou=Group,o=myorg" write


by group.expand="cn=sysads,ou=Group,o=myorg" write

Neither one worked, and in fact I saw an error message of something line: => bdb_entry_get: found entry: "cn=sysads,ou=group,o=myorg"

Mar 28 11:44:59 kyloulapp54dp slapd[5949]: <=
bdb_entry_get: failed to find objectClass groupOfNames

Does the group ACL's require a "groupofNames" instead
of using posixGroups under an OrganizationUnit?

I was wondering if maybe there some regex maybe I could use to check the gidNumber of the user trying to attempt access? I am not a regex genius so any help would be appreciated.

Not a regex. You could check membership by posixGroup members (memberUid) using sets <http://www.openldap.org/faq/data/cache/1133.html>.

Something like

access to *
    by set="user/uidNumber & [cn=group]/memberUid" read


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it