Re: Group ACLs and indirection

[Aaron Richton <richton@nbcs.rutgers.edu>]

I'm not sure I'm reading you right, but it sounds like you're hosting:

dn: cn=someObject,dc=example,dc=com
groupOfWriters: cn=specialPeople,dc=example,dc=com

dn: cn=specialPeople,dc=example,dc=com
uniqueMember: cn=Bob,dc=example,dc=com
uniqueMember: cn=Charlie,dc=example,dc=com

Something like that? Well, first off, consider if you can handle this with 
the simple case -- that is,

access to "cn=someObject,dc=example,dc=com"
  by group/groupOfUniqueNames/uniqueMember.exact="cn=specialPeople,dc=example,dc=com" write

Try the ACL test that ships with slapd if you want to see that in action. 
But it sounds like you want this to be dynamic based off groupOfWriters. I 
think you can do that with a set ACL. Maybe something along the lines of

 by set="groupOfWriters/member & user" write

but that's just off the top of my head and quite likely insufficient.

On Wed, 9 Apr 2008, Simon Wilkinson wrote:

> Hi,
>
> Just wondering, before I go and delve into the code, whether there was a way 
> of doing group based ACLs in the same way as dnattr allows indirection on the 
> user DN.
>
> Essentially, I'd like an object to contain an attribute holding the DN of the 
> group permitted to access that object, and then be able to do access control 
> based on the user being a member of the group pointed to by that DN.
>
> I can find an email from Kurt in 1999, suggesting a groupattr directive be 
> implemented, and welcoming contributions. Would a contribution of this still 
> be welcomed 9 years later?
>
> Cheers,
>
> Simon.