[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Crazy ldap attribute release policy

To: openldap-software@OpenLDAP.org
Subject: RE: Crazy ldap attribute release policy
From: Digant Kasundra <digant@uta.edu>
Date: Thu, 22 Jul 2004 15:42:27 -0500

Title: Message

So no one wanted to take a stab at this problem? <sigh> :)

-----Original Message-----
From: owner-openldap-software@OpenLDAP.org [mailto:owner-openldap-software@OpenLDAP.org] On Behalf Of Digant Kasundra
Sent: Wednesday, July 21, 2004 5:26 PM

Hello everyone,

I'm trying to write a super weird ACL or looking for a better way to handle the following problem:

Our UNIX systems query OpenLDAP to get gidNumber for people logging in. One such gidNumber puts a person in the sysadmin group, but people aren't not admins of all the servers, so that gidNumber should only be released to certain servers.

Currently, the lookup is done with a SASL bind and a DN specific to each machine. So, should I (and can I) make an ACL that says "in the cn=accounts branch, release all attributes but only release gidNumber=100 if the person asking is dn=omega." ??

*OR* is there a better way to go about this?

-- DK

Follow-Ups:
- Re: Crazy ldap attribute release policy
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: slapd-{ldap,meta} && authentication
Next by Date: Re: BINDDN in ldap.conf
Index(es):
- Chronological
- Thread