[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Letting Users Create Groups
- To: Tim Gustafson <tjg@soe.ucsc.edu>
- Subject: Re: Letting Users Create Groups
- From: Andy Cobaugh <phalenor@gmail.com>
- Date: Thu, 17 Mar 2011 13:21:02 -0400 (EDT)
- Cc: openldap-technical@openldap.org
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:date:from:x-x-sender:reply-to:to:cc:subject :in-reply-to:message-id:references:user-agent:mime-version :content-type; bh=+TYzBI7xNbou8b5cmfaFLz2GDaUbcgZAFsjRdO5B2a4=; b=JnC/1w3rdfPgqZbl+TsUSlKoClCsFF5XscXh7qLRUU+AZK2P7sudKGsxb3OqRTaED4 59Zn01dsRg5sh7bsWvM5Mzw4GHWeSq6gwAPgg4aj01TXhFBxDmObbuY9QIZD/YMdhIEJ gtmZCPS8RW/5H1A448yM9cG77d9ivtUohS37s=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:x-x-sender:reply-to:to:cc:subject:in-reply-to:message-id :references:user-agent:mime-version:content-type; b=YBgyw7z0Gco5/2ncCRFubxG37B3qf2P4kOKQQYRQ63FKtQ2hDwWJNJcmnoyA6a67Rs fejUUjqu2ubRsGgAMZc7FJ8bCK24wG02rlFWT7rIlMYtaS80jAqy27m/OPTFgV7t/sSw U0hlBm2U1a5lZv7S06Vyywc9z/MxGNBTlBfKo=
- In-reply-to: <1028607968.2292.1300381680882.JavaMail.root@mail-01.cse.ucsc.edu>
- References: <1028607968.2292.1300381680882.JavaMail.root@mail-01.cse.ucsc.edu>
- User-agent: Alpine 2.00 (LRH 1167 2008-08-23)
On 2011-03-17 at 10:08, Tim Gustafson ( tjg@soe.ucsc.edu ) said:
Hi,
I'd like to let users create posixGroup objects, but I don't want them
to be able to pick a gidNumber that is already in use, or that is less
than 1000 or greater than 10000, and I only want the groups to be
created in the ou=Group,dc=example,dc=com container.
Take a look at slapo-unique to enforce gidNumber uniqueness. Last part is
definitely doable. As to enforcing a value to be within a certain range, I
suppose if you can come up with a regex to match that, it should be
possible.
We have something similar, in that users can create groups of the form
<user>:<groupname>. Here are the ACLs that make that work:
# allow access to create entries under ou=group
access to dn.exact="ou=group,dc=bx,dc=psu,dc=edu" attrs=children
by users write
by * read
# personal groups
access to dn.regex="cn=(.+):.+,ou=group,dc=bx,dc=psu,dc=edu" filter=(|(objectclass=groupofnames)(objectclass=posixgroup)) attrs=member,memberUid
by dn.regex="uid=$1,ou=people,dc=bx,dc=psu,dc=edu" write
by dn.regex=".*/admin,ou=people,dc=bx,dc=psu,dc=edu" write
by group.exact="cn=ldapadmin-groups,ou=group,dc=bx,dc=psu,dc=edu" write
by * read
--andy