Re: Controlling access based on group membership

[Dieter KlÃnter <dieter@dkluenter.de>]

Hi Nick,

Am Mon, 20 Feb 2012 23:57:17 +0200
schrieb Nick Milas <nick@eurobjects.com>:

> On 20/2/2012 11:14 ÎÎ, Dieter KlÃnter wrote:
> 
> > The AdminGuide (and slapd.,access(5) clearly say
> > [dnattr=<attrname>]
> > that is, attribute name is commonName or telephoneNumber, but not an
> > attribute value like AdminGroups.
> 
> Thanks Dieter,
> 
> I guess I was not clear enough?
> 
> According to my description, AdminGroups, ReadGroups and SearchGroups 
> are in fact attributes (of a hypothetical to-be-defined 
> objectClass:AdminGroupOwnership) and not values.
> 
> We add to each entry the objectClass: AdminGroupOwnership and any
> needed attributes (AdminGroups, ReadGroups and SearchGroups); these
> attributes, I repeat, would have values of the form:
> 
>     cn=<someAdmins>,ou=Groups,dc=example,dc=com

> 
> Will it work as expected (to provide access to members of these
> groups) if we use rules of the form:
>   access to <some entries> <some attributes>
>      by dnattr=AdminGroups write
>      by dnattr=ReadGroups read
>      by dnattr=SearchGroups search
> ...??

I don't think so, but I haven't tried it. You want access based on a
group membership, thus the membership has to be checked.


-Dieter

-- 
Dieter KlÃnter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53Â37'09,95"N
10Â08'02,42"E