[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: group access "write" in OpenLDAP 2.1.4



> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Tony Earnshaw

> > access to *
> >       by group="cn=administrators,dc=example,dc=com" write
> >       by * auth
>
> I have a group, peoplemanagers, that has *limited* rights to change
> certain attributes of members of a local group. These attributes are
> personal details, such as phone number, password etc.
>
> This is the relevant line from my ACL, it works :-) This is on a single
> line:
>
> by group="cn=peoplemanagers,ou=groups,dc=billy,dc=demon,dc=nl"
> dnattr=member write

This doesn't look right to me, but I'm not sure I understand the example. It
sounds to me like you have a group "cn=local group,dc=example,dc=com" and you
have another group "cn=peoplemanagers,dc=example,dc=com" and you're saying
that the members of "peoplemanagers" are allowed to modify attributes on the
members of "local group."

There is no facility that lets you specify members of a group as the target
of an ACL. It might be nice to say "access to group=foo by group=bar write"
but slapd doesn't support this.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support