[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Schema Design :: ACL on Groups by Group Members only

Am Thu, 17 Mar 2011 12:01:15 -0700
schrieb sim123 <Sim3159@gmail.com>:

> Hi There,
> I want "n" number of groups (or similar structure which keeps member
> information) to be created and only group members have access to those
> groups. Members are defined in separate user branch so my DIT look
> like
> dc=example,dc=com
> +--ou=people,dc=example,dc=com
> +----uid=bjanson,ou=users,dc=example,dc=com
> +----uid=matt,ou=users,dc=example,dc=com
> +--cn=group1,dc=example,dc=com (groupOfNames)
> +----cn=subgroup1,dc=example,dc=com (groupOfNames)
> now users bjanson and matt are member of group1, only bjanson is
> member of subgroup1. I would like to have ACL defined so only members
> can access their group. I don't need any ACL on subgroup as long as
> only all members of parent group can access it.
> Is it possible to do that in generic form because basic ACL syntax
> needs dn/filter in "access to " clause. In my example if I have n
> groups I will end up having n access control syntax in slapd.conf,
> which doesn't sound a good idea.
> Also, I don't need to use groups as such but groupOfNames/ groupOd
> UniqueNames are the only classes which support member attribute.
> Please let me know if there is any other objectClass I should use.
> Thanks for all the help and support, I appreciate it very much.

You may use the almost undocumented access control by sets
This documents provide some examples.


Dieter Klünter | Systemberatung
GPG Key ID:DA147B05