[Date Prev][Date Next] [Chronological] [Thread] [Top]

posixgroup per user access rights

To: openldap-software@OpenLDAP.org
Subject: posixgroup per user access rights
From: "Tom Noonan II" <tnoonan@iastate.edu>
Date: Thu, 1 Dec 2005 02:15:53 -0600 (CST)

Is there a way to do something similar to

       olcAccess: to attr=member,entry
             by dnattr=member selfwrite

but for posixgroups, not groupOfNames?
The problem I see is that an ACL can't authenticate against a posixGroup (as far
as I know) Right now I just have any user has write access to certain
posixGroups, which is a potential security hole as they could add / erase other
users.

Basically I want users to be able to remove themselves from a group. I currently
have:

access to dn.exact="cn=team,ou=Group,dc=prisum,dc=org"
        by anonymous auth
        by users write

For each of my groups this applies to.  As I mentioned above this means that a
user can add / erase other users, which I don't like.

Thanks in advance.

Follow-Ups:
- Re: posixgroup per user access rights
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: Search on 'member' attribute in dynamic group
Next by Date: refreshAndPersist speed
Index(es):
- Chronological
- Thread