[Date Prev][Date Next] [Chronological] [Thread] [Top]

User-Managed Groups

Hi,

I've had OpenLDAP set up for a while now such that users can create
groups and manage the groups that they've created.  I've achieved this
by creating a new objectClass (called "managedGroup") which adds the
"manager" attribute, and then I've set up ACLs like this:

olcAccess: {14}to dn.base="ou=Groups,dc=whatever"
  attrs=children
  by users add
  by * break
olcAccess: {15}to dn.subtree="ou=Groups,dc=whatever"
  filter="(&(objectClass=posixGroup)(objectClass=managedGroup)(gidNumber>=1000))"
  attrs=entry
  by users add
  by * break
olcAccess: {16}to dn.subtree="ou=Groups,dc=whatever"
  attrs=cn,manager,memberUid,description
  by set.exact="this/manager & user" write
  by * break

I also have the "unique" overlay installed to prevent multiple groups
from having the same "cn" or "gidNumber".

I've got a request from users to be able to re-name their groups now
too.  I tried changing "by users add" to "by users write" in clause
14, and added the "entry" attribute to "attrs=" in clause 16, but the
server is still not letting users re-name their groups.  The output of
the log file looks like this:

slapd[44745]: => acl_get: [16] attr entry
slapd[44745]: => acl_mask: access to entry
"cn=test-1234,ou=Groups,dc=whatever", attr "entry" requested
slapd[44745]: => acl_mask: to all values by
"uid=g-guest,ou=people,dc=whatever", (=0)
slapd[44745]: <= check a_dn_pat: users
slapd[44745]: <= acl_mask: [1] applying add(=arscxd) (stop)
slapd[44745]: <= acl_mask: [1] mask: add(=arscxd)
slapd[44745]: => slap_access_allowed: write access denied by add(=arscxd)
slapd[44745]: => access_allowed: no more rules

What am I missing?

-- 

Tim Gustafson
tjg@ucsc.edu
831-459-5354
Baskin Engineering, Room 313A