[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd.conf acl based on uniqueMember attribute



On Sat, 12 May 2001, Kurt D. Zeilenga wrote:

> >I need to create 2 ou's (one for accounts and one for class roles).  User
> >accounts follow the standard rfc2307 schema using posixAccount
> >objectclass.  Class roles are represented by the groupOfNames objectclass.
> >I need to define an ACL in slapd.conf which allows the 'owner' attribute
> >value in the groupOfNames write access to the DN's specified by the
> >'member' attribute.
>
> access to filter=(objectClass=groupOfNames) attrs=member
>   by dnattr=owner write
>   ...

Hmmm....now this would seem to say

	"for all entries that have the groupOfNames objectclass
	value, give the 'owner' of that entry, write access to
	the DN value stored in the member attribute."

Did I miss something?

What need to be able to do is to say...

	"for all entries that have the groupOfNames objectclass
	value, give the 'owner' of that entry, write access to
	the entry named by the DN stored in the member attribute."
        ^^^^^^^^^^^^^^^^^^^^^^^^^

Does that make sense?  Or am I confused on how your ACL works? I was under
the assumption that the "attrs=" defined to which attributes in the
defined entry the ACL would apply.  I need one level of indirection here I
think.





Cheers, jerry
----------------------------------------------------------------------
   /\  Gerald (Jerry) Carter                     Professional Services
 \/    http://www.valinux.com/  VA Linux Systems   gcarter@valinux.com
       http://www.samba.org/       SAMBA Team          jerry@samba.org
       http://www.plainjoe.org/                     jerry@plainjoe.org

       "...a hundred billion castaways looking for a home."
                                - Sting "Message in a Bottle" ( 1979 )