(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Configuration : (Category) SLAPD Configuration : (Category) Access Control : (Answer) How do I use groups to manage access control?
There are a few ways to do this. One approach is illustrated here. Consider the following DIT layout:
+--cn=fred blogs,dc=example,dc=com 
and the following group object (in LDIF format):
dn: cn=adminstrators,dc=example,dc=com
cn: adminstrators of this region
objectclass: groupofNames  (important for the group acl feature)
member: cn=fred blogs,dc=example,dc=com 
member: cn=somebody else,dc=example,dc=com
One can then grant access to the members of this this group by adding appropriate by group clause to an access directive in slapd.conf(5). For instance,
  access to dn.children="dc=example,dc=com" 
      by self write 
      by group.exact="cn=Administrators,dc=example,dc=com" write  
      by * auth
Like by dn clauses, one can also use expand the group name based upon the regular expression matching of the target, that is, the to dn.regex). For instance,
  access to dn.regex="(.+,)?ou=People,(dc=[^,]+,dc=[^,]+)$"
      by group.expand="cn=Managers,$2" write
      by users read
      by * auth

The above illustration assumed that the group members are to be found in the "member" attribute type of the "groupOfNames" object class. If you need to use a different group object and/or a different attribute type then use the following slapd.conf (abbreviated) syntax:
access to <what>
        by group/<objectclass>/<attributename>=<DN> <access>
For example:
access to *
  by group/organizationalRole/roleOccupant="cn=Administrator,dc=example,dc=com" write
In this case, we have an ObjectClass organizationalRole which contains the administrator DN's in the roleOccupant attribute. For instance:
dn: cn=Adminstrator,dc=example,dc=com
cn: Adminstrator
objectclass: organizationalRole
roleOccupant: cn=Jane Doe,dc=example,dc=com 
Note: the specified member attribute type MUST be of DN or NameAndOptionalUID syntax, and the specified object class SHOULD allow the attribute type.
[Append to This Answer]
Previous: (Answer) How do I match authenticated users?
Next: (Answer) How do I grant access to a subset of attributes?
This document is: http://www.openldap.org/faq/index.cgi?file=52
[Search] [Appearance]
This is a Faq-O-Matic 2.721.test.
© Copyright 1998-2013, OpenLDAP Foundation, info@OpenLDAP.org