[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: apping ACLs to groupmembers
- To: Dieter Kluenter <dieter@dkluenter.de>
- Subject: Re: apping ACLs to groupmembers
- From: Andreas Schuldei <andreas@schuldei.org>
- Date: Sat, 5 Mar 2005 17:55:52 +0100
- Cc: openldap-software@OpenLDAP.org
- Content-disposition: inline
- In-reply-to: <m3n08milkb.fsf@marin.l4b.de>
- References: <20040117140657.GA31066@petrus.schuldei.org> <m3n08milkb.fsf@marin.l4b.de>
- User-agent: Mutt/1.5.6+20040818i
* Dieter Kluenter (dieter@dkluenter.de) [040117 17:44]:
> Andreas Schuldei <andreas@schuldei.org> writes:
> > i have (posixAccount)-users and (groupOfNames AND
> > posixGroup)-groups in my ldap directrory. Now i want to enable
> > users in one group (junior admins) to edit the userPassword files
> > for everyone in an other group (students) but not other groups
> > (like teachera and admins).
> >
> > i have read up on ACLs and look for a way to write that ACL
> > entry. the DNs of students, teachers and admins look alike:
> > uid=XXX,ou=People,dc=...
> > so i cant filter on dn.subtree or so (as far as i know).
> >
> > But then i dont know so much about ACLs...
> >
> > Can i filter for this, somehow? i imagine my filtering must
> > return real ldap entries which are allowed to be accessed, not
> > just one entry which contains the forbidden and allowd DNs (in
> > the member attribute of the groupOfNames groups)?
>
> If you are looking for access control not based on subtrees but on
> entries you should try aci's.
this has become a issue again and still needs solving.
to clarify:
members in group A can write to certain attributes of entries in group B.
members in group C can write to certain attributes of entries in group A and B.
the groups are hybrids of posixGroup and groupOfNames.
i use the debian packages, which dont have ACIs compiled in
(since they are experimental and about to change soon, i hear).
Especially the "changing" bit would be a pain since it might
break upgrades. I am not sure how recompilation of the package
(with ACIs enabled) would impact library compatibility.