Hello
everyone,
I'm trying to
write a super weird ACL or looking for a better way to handle the following
problem:
Our UNIX systems
query OpenLDAP to get gidNumber for people logging in. One such
gidNumber puts a person in the sysadmin group, but people aren't not admins of
all the servers, so that gidNumber should only be released to certain
servers.
Currently, the
lookup is done with a SASL bind and a DN specific to each machine. So,
should I (and can I) make an ACL that says "in the cn=accounts branch, release
all attributes but only release gidNumber=100 if the person asking is
dn=omega." ??
*OR* is there a
better way to go about this?
--
DK