[Date Prev][Date Next] [Chronological] [Thread] [Top]

Schema Design :: ACL on Groups by Group Members only



Hi There,

I want "n" number of groups (or similar structure which keeps member information) to be created and only group members have access to those groups. Members are defined in separate user branch so my DIT look like

dc=example,dc=com
+--ou=people,dc=example,dc=com
+----uid=bjanson,ou=users,dc=example,dc=com
+----uid=matt,ou=users,dc=example,dc=com
+--cn=group1,dc=example,dc=com (groupOfNames)
+----cn=subgroup1,dc=example,dc=com (groupOfNames)  

now users bjanson and matt are member of group1, only bjanson is member of subgroup1. I would like to have ACL defined so only members can access their group. I don't need any ACL on subgroup as long as only all members of parent group can access it.

Is it possible to do that in generic form because basic ACL syntax needs dn/filter in "access to " clause. In my example if I have n groups I will end up having n access control syntax in slapd.conf, which doesn't sound a good idea.

Also, I don't need to use groups as such but groupOfNames/ groupOd UniqueNames are the only classes which support member attribute. Please let me know if there is any other objectClass I should use.

Thanks for all the help and support, I appreciate it very much.