[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL questsion about 'by group'

To: "Misty Stanley-Jones" <misty@borkholder.com>
Subject: Re: ACL questsion about 'by group'
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Fri, 19 Nov 2004 17:12:57 +0100 (CET)
Cc: openldap-software@OpenLDAP.org
Domainkey-signature: a=rsa-sha1; s=mail; d=sys-net.it; c=simple; q=dns; b=C6STuUatbhbBaEI6iglmgb1r+9WBTLbvkgctVUujVGPdwabKb5JdSUn9Ek3mn8tBY dve7xYSh+lRuXHv3NALqw==
Importance: Normal
In-reply-to: <200411191051.13403.misty@borkholder.com>
References: <200411191051.13403.misty@borkholder.com>
User-agent: SquirrelMail/1.4.3a-1

> I am sure I'm not understanding this right.  What I would like to do is
> grant
> access based on membership in a posixGroup entry.  I am not seeming to get
> the syntax right.  I've tried doing:
>
> access to <resource>
> 	by group="cn=PosixGroup,dc=mycompany,dc=com" write
>
> That group contains three memberUID entries.  The ACL is not working
> though.
>
> I read slapd.access carefully and even tried:
> by group/posixGroup/memberUID="cn=PosixGroup,dc=mycompany,dc=com" write
>
> But that one doesn't work either.  I'm thinking I am probably not
> understanding some of the conventions used in the man page.  Any help
> would
> be great!

The syntax "by group/posixGroup/memberUID" is correct, but the
AttributeDescription "memberUID" does not resolve to a distinguishedName
or nameAndOptionalUID valued attribute, rather to a POSIX group id.  I
don't see an immediate workaround.  Simply, posixGroup memberUIDs are not
fine for LDAP access control.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

References:
- ACL questsion about "by group"
  - From: Misty Stanley-Jones <misty@borkholder.com>

Prev by Date: ACL questsion about "by group"
Next by Date: Re: ACL questsion about "by group"
Index(es):
- Chronological
- Thread