[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Schema Design :: ACL on Groups by Group Members only
- To: openldap-technical@openldap.org
- Subject: Schema Design :: ACL on Groups by Group Members only
- From: sim123 <Sim3159@gmail.com>
- Date: Thu, 17 Mar 2011 12:01:15 -0700
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:date:x-google-sender-auth :message-id:subject:from:to:content-type; bh=t4am0GOXXqG2uAaGOD2J9sVMEoMxwzlL6YZl90yWuLs=; b=Y9DfZ7rbh99SCGhqyl9FQ2plO+d9CK1fbL/3oeZM/t8rt7UkmAZQjgmS/G+K90ceto sE+k+BjDiRjI362+LZWbx8iyCd3Wc7puQFGz+Lpjv4+FwoIMbiB5jxV98w4DE/3+JHOD z8qGFfISUTY6ni2ksAX1rN1jKr/44yJE/rM0k=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:date:x-google-sender-auth:message-id:subject :from:to:content-type; b=K3fq2NogjjeZMY1exFYLi9aiT6qHhO2NbhdYsiwpNv1uH3labAJQPUjRKDb9J9MxLJ CtPfMi0OPjV3+lR0NWNpinZa+F1rzWhjLkLfcS5xoxz7bDGOASIRXseZ5heyMrEgnxzW OlykgQ4BD40jP4NdAhBLV5ALizqOR8Ba24qA8=
Hi There,
I want "n" number of groups (or similar structure which keeps member information) to be created and only group members have access to those groups. Members are defined in separate user branch so my DIT look like
dc=example,dc=com
+--ou=people,dc=example,dc=com
+----uid=bjanson,ou=users,dc=example,dc=com
+----uid=matt,ou=users,dc=example,dc=com
+--cn=group1,dc=example,dc=com (groupOfNames)
+----cn=subgroup1,dc=example,dc=com (groupOfNames)
now users bjanson and matt are member of group1, only bjanson is member of subgroup1. I would like to have ACL defined so only members can access their group. I don't need any ACL on subgroup as long as only all members of parent group can access it.
Is it possible to do that in generic form because basic ACL syntax needs dn/filter in "access to " clause. In my example if I have n groups I will end up having n access control syntax in slapd.conf, which doesn't sound a good idea.
Also, I don't need to use groups as such but groupOfNames/ groupOd UniqueNames are the only classes which support member attribute. Please let me know if there is any other objectClass I should use.
Thanks for all the help and support, I appreciate it very much.