[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openldap-software
Subject:    Re: acl only in slapd.conf
From:       Anthony Brock <abrock () georgefox ! edu>
Date:       2000-08-28 1:34:14
[Download RAW message or body]

I would like to know how you do the following with ACLs:

I have two groups:

dc: cn=group admins,dc=my,dc=domain
dn: cn=group,dc=my,dc=domain

I have defined the owner of cn=group,dc=my,dc=domain to cn=group 
admins,dc=my,dc=domain.

How do I use the value of the owner attribute to grant access to members of 
group cn=group admins,dc=my,dc=domain?

The dnattr on seems to work for access to the SAME entry.  So I can't using 
the dnattr.  The best I have been able to come up with was from a VERY old 
faq entry at the openldap home page (which could use some improvements on 
it's regex expressions):

access to dn="cn=([^,]+),dc=my,dc=domain" attrs=uniquemember by 
group/groupofuniquenames/uniquemember="cn=$1 admins,dc=my,dc=domain" write

This works, but only lets this admin group manage this SINGLE other 
group.  I would really like to use the owner attribute, but am at a loss as 
to how to proceed.  This is on a test OpenLDAP server 2.0cvs, which is my 
first priority to get working.  Once it is working, I am interested in 
applying the same thing to older 1.2.11 servers (until 2.0 is considered 
'released').

Could we use the experimental support for in-directory ACL in 2.0cvs to do 
this?  If so, how do you use this?  I have reviewed the admin guide for 
2.0, and it doesn't mention anything about it.

Just looking for some cookbook approaches.  Obviously, I am using the 
enhanced group methods.  It would be nice to have something similar to:

dnattr=owner/group/groupofuniquenames/uniquemember

Thanks in advance for any advice,

Tony

At 01:17 PM 8/27/00 -0700, Kurt@OpenLDAP.org wrote:
>At 01:42 PM 8/27/00 +0200, Lars Kneschke wrote:
> >>Is it correct that i can define acl's only in the slapd.conf?
>
>In 1.2, yes.
>2.x (currently in gamma testing) has experimental support for
>in-directory access control information.

******************************************************************************
* Anthony Brock                                         abrock@georgefox.edu *
* Director of Network Services                         George Fox University *
******************************************************************************

[prev in list] [next in list] [prev in thread] [next in thread]