[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: User managed groups - ACLs

To: openldap-technical@openldap.org
Subject: Re: User managed groups - ACLs
From: Christian Manal <moenoel@informatik.uni-bremen.de>
Date: Tue, 01 Feb 2011 09:59:50 +0100
In-reply-to: <4D46E98A.7090301@informatik.uni-bremen.de>
References: <4D46E98A.7090301@informatik.uni-bremen.de>
User-agent: Mozilla/5.0 (X11; U; Linux i686; de-DE; rv:1.9.2.12) Gecko/20101110 Lightning/1.0b2 Icedove/3.1.6

> 1.1 [...]: I have no idea if this is even possible, let alone how to
> achieve it.

Just figured out a part of this. Since ACLs seem to apply to new entries
before they are even in the database, I just need to restrict access to
'attrs=entry' to the group manager. Since 'UDBgrpAdmin' is a
single-valued attribute, there can be no other value than the DN of the
creator.

But that still doesn't prevent non-creator DNs in the 'member' attribute...

Updated ACLs:

   <http://openldap.pastebin.com/VCxM7YzL>


Regards,
Christian Manal

Prev by Date: AW: meta directory backend and rewriting option '|'
Next by Date: Re: same objects in multiple ou?
Index(es):
- Chronological
- Thread