[Date Prev][Date Next] [Chronological] [Thread] [Top]

Crazy ldap attribute release policy



Title: Message
Hello everyone,
 
I'm trying to write a super weird ACL or looking for a better way to handle the following problem:
 
Our UNIX systems query OpenLDAP to get gidNumber for people logging in.  One such gidNumber puts a person in the sysadmin group, but people aren't not admins of all the servers, so that gidNumber should only be released to certain servers.
 
Currently, the lookup is done with a SASL bind and a DN specific to each machine.  So, should I (and can I) make an ACL that says "in the cn=accounts branch, release all attributes but only release gidNumber=100 if the person asking is dn=omega." ??
 
*OR* is there a better way to go about this?
 
-- DK