Re: Letting Users Create Groups

[Andy Cobaugh <phalenor@gmail.com>]

On 2011-03-17 at 10:08, Tim Gustafson ( tjg@soe.ucsc.edu ) said:
> Hi,
>
> I'd like to let users create posixGroup objects, but I don't want them 
> to be able to pick a gidNumber that is already in use, or that is less 
> than 1000 or greater than 10000, and I only want the groups to be 
> created in the ou=Group,dc=example,dc=com container.

Take a look at slapo-unique to enforce gidNumber uniqueness. Last part is 
definitely doable. As to enforcing a value to be within a certain range, I 
suppose if you can come up with a regex to match that, it should be 
possible.

We have something similar, in that users can create groups of the form 
<user>:<groupname>. Here are the ACLs that make that work:

# allow access to create entries under ou=group
access to dn.exact="ou=group,dc=bx,dc=psu,dc=edu" attrs=children
        by users write
	by * read

# personal groups
access to dn.regex="cn=(.+):.+,ou=group,dc=bx,dc=psu,dc=edu" filter=(|(objectclass=groupofnames)(objectclass=posixgroup)) attrs=member,memberUid
        by dn.regex="uid=$1,ou=people,dc=bx,dc=psu,dc=edu" write
        by dn.regex=".*/admin,ou=people,dc=bx,dc=psu,dc=edu" write
        by group.exact="cn=ldapadmin-groups,ou=group,dc=bx,dc=psu,dc=edu" write
        by * read
--andy