[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Letting Users Create Groups

To: Christian Manal <moenoel@informatik.uni-bremen.de>
Subject: Re: Letting Users Create Groups
From: Tim Gustafson <tjg@soe.ucsc.edu>
Date: Fri, 18 Mar 2011 08:42:18 -0700 (PDT)
Cc: openldap-technical@openldap.org
In-reply-to: <4D824486.6080609@informatik.uni-bremen.de>

> to prevent gidNumber duplicates you probably need slapo-unique.

That works well; here's my configuration:

overlay unique
unique_uri ldap:///ou=Group,dc=example?cn?sub?
unique_uri ldap:///ou=Group,dc=example?gidNumber?sub?

> ACLs along these lines should do the rest:
> 
> access to dn.exact="ou=group,dc=example" attrs=children
> by users write
> 
> access to dn.sub="ou=group,dc=example" attrs=entry
> filter="(&(objectClass=posixAccount)(gidNumber>=1000)(gidNumber<=1000)"
> by users add

I already have this:

access to
 dn.subtree="ou=Group,dc=example"
 attrs=manager,memberUid,description,myStatus,myComment
 by set="this/manager & user" write
 by * break

(My groups all have an additional objectClass, myGroup, which adds a manager, description, myStatus and myComment attribute to groups.)

Will the ACLs you propose break that?  It doesn't look like they will; I just want to make sure.

Tim Gustafson
Baskin School of Engineering
UC Santa Cruz
tjg@soe.ucsc.edu
831-459-5354

References:
- Re: Letting Users Create Groups
  - From: Christian Manal <moenoel@informatik.uni-bremen.de>

Prev by Date: Re: Understanding back_perl SampleLDAP.pm
Next by Date: Re: newbie problem importing ldap
Index(es):
- Chronological
- Thread