ACL construction : by group

[Florian Götz <f.goetz@hs-mannheim.de>]

Hi everybody,

I´m trying to write some admintool for my ldap in php.
Changes to entries of other people should only be possible by members of the 
group "Domain Admins"
So I wrote some phpcode which checks if the provided username (via Webbrowser) 
is a member of "Domain Admins" 

"Domain Admins" is created by samba and a normal posixGroup/sambaGroupMapping.
All members of the group are listed via "memberUid".

But at the same time there is a LDAP ACL used like this:

access to dn.subtree="ou=Groups,dc=example,dc=de"
        by group="cn=Domain Admins,ou=groups,dc=example,dc=de" write
        by dn="uid=backup,ou=users,dc=example,dc=de" read
        by users none
        by * none

A internal policy prohibits normal users access to the Groups subtree.
I added the "by group" line, but then realised that it can not work this way. 

A usersearch like "search if memberUid=x is member of "Domain Admins" needs 
the rights for a search in ou=groups. But the only stored attribute per users 
is the memberUid, not the complete DN.

The DN of a possible user is something like "uid=x,ou=users,dc=example,dc=de"

Is there a possibility to use the existing "Domain Admins" group for user 
authentication, even if there are only memberUids stored and not complete dn?
I don´t want to add all Domain Admins to the ACL above one by one. A change in 
the members would also lead to a change in the ACl if it would be done this 
way.



Best regards,
Florian Götz



----------------------------------------------------------------------------------------
Dipl.-Inf. (FH) Florian Götz
Rechenzentrum Hochschule Mannheim
Paul-Wittsack-Straße 10	
68163 Mannheim
Tel: 0621/292-6232       

EMail: 	f.goetz@hs-mannheim.de
Internet: 	http://www.rz.hs-mannheim.de

-----