[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Group ACLs and indirection

Aaron Richton wrote:
I'm not sure I'm reading you right, but it sounds like you're hosting:

dn: cn=someObject,dc=example,dc=com
groupOfWriters: cn=specialPeople,dc=example,dc=com

dn: cn=specialPeople,dc=example,dc=com
uniqueMember: cn=Bob,dc=example,dc=com
uniqueMember: cn=Charlie,dc=example,dc=com

Something like that? Well, first off, consider if you can handle this with the simple case -- that is,

access to "cn=someObject,dc=example,dc=com"
by group/groupOfUniqueNames/uniqueMember.exact="cn=specialPeople,dc=example,dc=com" write

Try the ACL test that ships with slapd if you want to see that in action. But it sounds like you want this to be dynamic based off groupOfWriters. I think you can do that with a set ACL. Maybe something along the lines of

 by set="groupOfWriters/member & user" write

but that's just off the top of my head and quite likely insufficient.

by set="this/groupOfWriters/member & user" write

would probably be more appropriate :)


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it