[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL and groups

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: ACL and groups
From: Emmanuel JEGOU <Emmanuel.Jegou@naonet.fr>
Date: Fri, 02 Jul 1999 10:49:59 +0200
Cc: openldap-software <openldap-software@OpenLDAP.org>
Organization: Naonet
References: <3.0.5.32.19990701112007.00976a50@localhost>


"Kurt D. Zeilenga" a écrit :

> At 12:17 PM 7/1/99 +0200, Emmanuel JEGOU wrote:
> > Hello,
> >
> >I have persons under the entry "ou=people,o=Naonet Company,c=fr" who are
> >identified by their 'cn'.
> >All of them have a 'businesscategory' attribut and I would like to grant
> >access to the persons who belong to the same 'businesscategory' by a
> >group of persons. This group is identified by a 'groupOfUniqueNames'
> >objectClass and each unique member could access to people who belong to
> >the specified 'businesscategory' attribut. The group is located on :
> >"cn=Staff Administration Group,ou=Administrations Groups,o=Naonet
> >Company,c=fr".
> >
> >The dnattr specification can be use only if the uniquemember attribut is
> >in the entry to which the access applies.
> >
> >Is there something that could do this ?
>
> Yes.
>
> >With the Netscape Directory, I know there is the groupdn option in an
> >'aci' attribut, but is there an equivalent in OpenLDAP ?
>
> Yes, group ACLs (http://www.openldap.org/faq/index.cgi?file=52)
>
> Ignoring the 'businesscategory' requirement, you could have
> one rule:
>
> access to dn=".*,ou=people,o=Naonet Company,c=fr"
>     by group="cn=Staff Administration Group,ou=Administrations Groups,o=Naonet
> Company,c=fr" write
>     by * none
>
> Now, say you have two businesscategories X and Y and groups X and Y to
> admin'ed them, respectively.  You minimally need two rules....
> I would think something like the following might work.
>
> # X rule
> access to dn=".*,ou=people,o=Naonet Company,c=fr" filter="(businesscategory=X)"
>     by group="cn=X Administration Group,ou=Administrations Groups,o=Naonet
> Company,c=fr" write
>     by * none
>
> # Y rule
> access to dn=".*,ou=people,o=Naonet Company,c=fr" filter="(businesscategory=Y)"
>     by group="cn=Y Administration Group,ou=Administrations Groups,o=Naonet
> Company,c=fr" write
>     by * none
>
> (They would be added ABOVE the first example)
>
> Now, I said "minimally" because this might not give you the behavior
> you desire... businesscategory might be multivalued or may not exist
> or may not have a value X or Y.  I recommend avoiding ACLs with
> attribute content "what" clauses.

Ok, I understand that having ACLs based on non fixed values is not recommended but,
have you got another idea to manage what I want ?

I tried with groups and it works fine, thanks !

>
> Kurt

Manu.

--
---------------------------------
 Emmanuel JEGOU
 mailto:Emmanuel.Jegou@naonet.fr
---------------------------------
 Naonet => Internet - Intranet
 http://www.naonet.fr
---------------------------------

Follow-Ups:
- Re: ACL and groups
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- Re: ACL and groups
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: i'm baffled (openldap on redhat 6)
Next by Date: ldap protocol error
Index(es):
- Chronological
- Thread