[Date Prev][Date Next]
Re: Controlling access based on group membership
On 20/2/2012 11:14 ÎÎ, Dieter KlÃnter wrote:
The AdminGuide (and slapd.,access(5) clearly say
that is, attribute name is commonName or telephoneNumber, but not an
attribute value like AdminGroups.
I guess I was not clear enough?
According to my description, AdminGroups, ReadGroups and SearchGroups
are in fact attributes (of a hypothetical to-be-defined
objectClass:AdminGroupOwnership) and not values.
We add to each entry the objectClass: AdminGroupOwnership and any needed
attributes (AdminGroups, ReadGroups and SearchGroups); these attributes,
I repeat, would have values of the form:
Will it work as expected (to provide access to members of these groups)
if we use rules of the form:
access to <some entries> <some attributes>
by dnattr=AdminGroups write
by dnattr=ReadGroups read
by dnattr=SearchGroups search