Re: OpenLDAP Group ACL

[Pierangelo Masarati <ando@sys-net.it>]

Please keep replies on the list.

Luke Lee wrote:
> Sir,
>
> I have the following in my base ldif:

snip

> and I have the following under the group ou:
>
> dn: cn=pwmanager,ou=Group,dc=mydomain,dc=com
> objectClass: groupOfNames
> cn: pwmanager
> member: cn=l_luke,ou=People,dc=mydomain,dc=com
> member: w_smith,ou=People,dc=mydomain,dc=com

snip

> The access defined in the slapd.conf file:
>
> access to attrs=userPassword
>         by self     write
>         by group.exact="cn=pwmanager,ou=Group,dc=mydomain,dc=com"    write
>         by *    none
>
> access to *
>         by self     write
>         by group.exact="cn=pwmanager,ou=Group,dc=mydomain,dc=com"    write
>         by users    read
>         by *    none
>
> Will I be able to use the following command to change user's password?
>
> ldappasswd -x -W -D "uid=l_luke,ou=People,dc=mydomain,dc=com" -S
> "uid=w_smith,ou=People,dc=mydomain,dc=com"

No.

> How can I use the Netgroup and netgroup.byhost nisMap to achive the same purpose? Would you please help? Thanks!

You can't.  You can't use anything but groupOfNames/member for group 
membership.  The only alternative, discussed thousands of times in the 
archives (the last time three days ago, 
<http://www.openldap.org/lists/openldap-software/200803/msg00241.html>) 
consists in using sets, but performance and deadlock issues will 
probably bite you.

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------