Re: Controlling access based on group membership

[Nick Milas <nick@eurobjects.com>]

On 20/2/2012 11:14 ÎÎ, Dieter KlÃnter wrote:

> The AdminGuide (and slapd.,access(5) clearly say
> [dnattr=<attrname>]
> that is, attribute name is commonName or telephoneNumber, but not an
> attribute value like AdminGroups.

Thanks Dieter,

I guess I was not clear enough?

According to my description, AdminGroups, ReadGroups and SearchGroups 
are in fact attributes (of a hypothetical to-be-defined 
objectClass:AdminGroupOwnership) and not values.

We add to each entry the objectClass: AdminGroupOwnership and any needed 
attributes (AdminGroups, ReadGroups and SearchGroups); these attributes, 
I repeat, would have values of the form:

   cn=<someAdmins>,ou=Groups,dc=example,dc=com

Will it work as expected (to provide access to members of these groups) 
if we use rules of the form:
 access to <some entries> <some attributes>
    by dnattr=AdminGroups write
    by dnattr=ReadGroups read
    by dnattr=SearchGroups search
...??

Thanks,
Nick