[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: apping ACLs to groupmembers



Hi,

Andreas Schuldei <andreas@schuldei.org> writes:

> i have (posixAccount)-users and (groupOfNames AND
> posixGroup)-groups in my ldap directrory. Now i want to enable
> users in one group (junior admins) to edit the userPassword files
> for everyone in an other group (students) but not other groups
> (like teachera and admins).
>
> i have read up on ACLs and look for a way to write that ACL
> entry. the DNs of students, teachers and admins look alike:
> uid=XXX,ou=People,dc=...
> so i cant filter on dn.subtree or so (as far as i know).
>
> But then i dont know so much about ACLs...
>
> Can i filter for this, somehow? i imagine my filtering must
> return real ldap entries which are allowed to be accessed, not
> just one entry which contains the forbidden and allowd DNs (in
> the member attribute of the groupOfNames groups)?

If you are looking for access control not based on subtrees but on
entries you should try aci's.

http://www.openldap.org/faq/data/cache/634.html

-Dieter

-- 
Dieter Kluenter  | Systemberatung
Tel:040.64861967 | Fax: 040.64891521
mailto: dkluenter(at)dkluenter.de
http://www.avci.de