[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Crazy ldap attribute release policy



Title: Message
So no one wanted to take a stab at this problem?  <sigh> :)
 
 
-----Original Message-----
From: owner-openldap-software@OpenLDAP.org [mailto:owner-openldap-software@OpenLDAP.org] On Behalf Of Digant Kasundra
Sent: Wednesday, July 21, 2004 5:26 PM

Hello everyone,
 
I'm trying to write a super weird ACL or looking for a better way to handle the following problem:
 
Our UNIX systems query OpenLDAP to get gidNumber for people logging in.  One such gidNumber puts a person in the sysadmin group, but people aren't not admins of all the servers, so that gidNumber should only be released to certain servers.
 
Currently, the lookup is done with a SASL bind and a DN specific to each machine.  So, should I (and can I) make an ACL that says "in the cn=accounts branch, release all attributes but only release gidNumber=100 if the person asking is dn=omega." ??
 
*OR* is there a better way to go about this?
 
-- DK