[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Letting Users Create Groups

On 2011-03-17 at 10:08, Tim Gustafson ( tjg@soe.ucsc.edu ) said:

I'd like to let users create posixGroup objects, but I don't want them to be able to pick a gidNumber that is already in use, or that is less than 1000 or greater than 10000, and I only want the groups to be created in the ou=Group,dc=example,dc=com container.

Take a look at slapo-unique to enforce gidNumber uniqueness. Last part is definitely doable. As to enforcing a value to be within a certain range, I suppose if you can come up with a regex to match that, it should be possible.

We have something similar, in that users can create groups of the form <user>:<groupname>. Here are the ACLs that make that work:

# allow access to create entries under ou=group
access to dn.exact="ou=group,dc=bx,dc=psu,dc=edu" attrs=children
        by users write
	by * read

# personal groups
access to dn.regex="cn=(.+):.+,ou=group,dc=bx,dc=psu,dc=edu" filter=(|(objectclass=groupofnames)(objectclass=posixgroup)) attrs=member,memberUid
        by dn.regex="uid=$1,ou=people,dc=bx,dc=psu,dc=edu" write
        by dn.regex=".*/admin,ou=people,dc=bx,dc=psu,dc=edu" write
        by group.exact="cn=ldapadmin-groups,ou=group,dc=bx,dc=psu,dc=edu" write
        by * read