Re: Controlling access based on group membership

[Nick Milas <nick@eurobjects.com>]

On 20/2/2012 1:45 ÎÎ, Nick Milas wrote:

> I would like to ask the list:
> 1. Can someone demonstrate how we should formulate an ACL which would 
> accomplish the above? The ACL should say:
> access to <some entries> <some attribute>
>     by {a DN which belongs to a Group specified in the AdminGroups 
> attr of the entry} write
>     by {a DN which belongs to a Group specified in the ReadGroups attr 
> of the entry} read
>     by {a DN which belongs to a Group specified in the SearchGroups 
> attr of the entry} search
>
> 2. Is there an existing (included in the distribution or available 
> from a third-party) schema or similar mechanism available (so that I 
> don't re-invent the wheel)?

Reading through http://www.openldap.org/doc/admin24/access-control.html, 
I came to the conclusion that this could work if we specify:

 access to <some entries> <some attributes>
    by dnattr=AdminGroups write
    by dnattr=ReadGroups read
    by dnattr=SearchGroups search

Will this work if the DNs included in these attributes are, as I have 
described, of the following form:

   cn=<someAdmins>,ou=Groups,dc=example,dc=com

and these are in turn defined as:
dn: cn=<someAdmins>,ou=Groups,dc=example,dc=com
objectClass: groupOfNames
cn: TechAdmins
member: uid=<user1>,ou=people,dc=example,dc=com
member: uid=<user2>,ou=people,dc=example,dc=com

...??

Please, advise.

Thanks,
Nick