[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Controlling access based on group membership

On 20/2/2012 1:45 ÎÎ, Nick Milas wrote:

I would like to ask the list:
1. Can someone demonstrate how we should formulate an ACL which would accomplish the above? The ACL should say:
access to <some entries> <some attribute>
by {a DN which belongs to a Group specified in the AdminGroups attr of the entry} write by {a DN which belongs to a Group specified in the ReadGroups attr of the entry} read by {a DN which belongs to a Group specified in the SearchGroups attr of the entry} search

2. Is there an existing (included in the distribution or available from a third-party) schema or similar mechanism available (so that I don't re-invent the wheel)?

Reading through http://www.openldap.org/doc/admin24/access-control.html, I came to the conclusion that this could work if we specify:

 access to <some entries> <some attributes>
    by dnattr=AdminGroups write
    by dnattr=ReadGroups read
    by dnattr=SearchGroups search

Will this work if the DNs included in these attributes are, as I have described, of the following form:


and these are in turn defined as:
dn: cn=<someAdmins>,ou=Groups,dc=example,dc=com
objectClass: groupOfNames
cn: TechAdmins
member: uid=<user1>,ou=people,dc=example,dc=com
member: uid=<user2>,ou=people,dc=example,dc=com


Please, advise.