[prev in list] [next in list] [prev in thread] [next in thread]
List: openldap-software
Subject: Re: acl only in slapd.conf
From: Anthony Brock <abrock () georgefox ! edu>
Date: 2000-08-28 1:34:14
[Download RAW message or body]
I would like to know how you do the following with ACLs:
I have two groups:
dc: cn=group admins,dc=my,dc=domain
dn: cn=group,dc=my,dc=domain
I have defined the owner of cn=group,dc=my,dc=domain to cn=group
admins,dc=my,dc=domain.
How do I use the value of the owner attribute to grant access to members of
group cn=group admins,dc=my,dc=domain?
The dnattr on seems to work for access to the SAME entry. So I can't using
the dnattr. The best I have been able to come up with was from a VERY old
faq entry at the openldap home page (which could use some improvements on
it's regex expressions):
access to dn="cn=([^,]+),dc=my,dc=domain" attrs=uniquemember by
group/groupofuniquenames/uniquemember="cn=$1 admins,dc=my,dc=domain" write
This works, but only lets this admin group manage this SINGLE other
group. I would really like to use the owner attribute, but am at a loss as
to how to proceed. This is on a test OpenLDAP server 2.0cvs, which is my
first priority to get working. Once it is working, I am interested in
applying the same thing to older 1.2.11 servers (until 2.0 is considered
'released').
Could we use the experimental support for in-directory ACL in 2.0cvs to do
this? If so, how do you use this? I have reviewed the admin guide for
2.0, and it doesn't mention anything about it.
Just looking for some cookbook approaches. Obviously, I am using the
enhanced group methods. It would be nice to have something similar to:
dnattr=owner/group/groupofuniquenames/uniquemember
Thanks in advance for any advice,
Tony
At 01:17 PM 8/27/00 -0700, Kurt@OpenLDAP.org wrote:
>At 01:42 PM 8/27/00 +0200, Lars Kneschke wrote:
> >>Is it correct that i can define acl's only in the slapd.conf?
>
>In 1.2, yes.
>2.x (currently in gamma testing) has experimental support for
>in-directory access control information.
******************************************************************************
* Anthony Brock abrock@georgefox.edu *
* Director of Network Services George Fox University *
******************************************************************************
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic