[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Controlling access based on group membership

On 20/2/2012 11:14 ÎÎ, Dieter KlÃnter wrote:

The AdminGuide (and slapd.,access(5) clearly say
that is, attribute name is commonName or telephoneNumber, but not an
attribute value like AdminGroups.

Thanks Dieter,

I guess I was not clear enough?

According to my description, AdminGroups, ReadGroups and SearchGroups are in fact attributes (of a hypothetical to-be-defined objectClass:AdminGroupOwnership) and not values.

We add to each entry the objectClass: AdminGroupOwnership and any needed attributes (AdminGroups, ReadGroups and SearchGroups); these attributes, I repeat, would have values of the form:


Will it work as expected (to provide access to members of these groups) if we use rules of the form:
 access to <some entries> <some attributes>
    by dnattr=AdminGroups write
    by dnattr=ReadGroups read
    by dnattr=SearchGroups search