Re: Controlling access based on group membership

[Buchan Milne <bgmilne@staff.telkomsa.net>]

On Monday, 20 February 2012 23:57:17 Nick Milas wrote:
> On 20/2/2012 11:14 ÎÎ, Dieter KlÃnter wrote:
> > The AdminGuide (and slapd.,access(5) clearly say
> > [dnattr=<attrname>]
> > that is, attribute name is commonName or telephoneNumber, but not an
> > attribute value like AdminGroups.
> 
> Thanks Dieter,
> 
> I guess I was not clear enough?

You were clear enough in your requirement, but your approach will not work 
(and I thought Dieter was clear enough in that regard too).

> According to my description, AdminGroups, ReadGroups and SearchGroups
> are in fact attributes (of a hypothetical to-be-defined
> objectClass:AdminGroupOwnership) and not values.

And you also want the values of these attributes to be expanded to the members 
(of some definition) of the groups (of some definitions).


> We add to each entry the objectClass: AdminGroupOwnership and any needed
> attributes (AdminGroups, ReadGroups and SearchGroups); these attributes,
> I repeat, would have values of the form:
> 
>     cn=<someAdmins>,ou=Groups,dc=example,dc=com
> 
> Will it work as expected (to provide access to members of these groups)
> if we use rules of the form:
>   access to <some entries> <some attributes>
>      by dnattr=AdminGroups write
>      by dnattr=ReadGroups read
>      by dnattr=SearchGroups search
> ...??

If you were to bind as the 'group' 
cn=<someAdmins>,ou=Groups,dc=example,dc=com, this would work. But, not if you 
bind as a 'member' of this group (which I believe is what you want).

What you want to do may be achieveable with sets 
(http://www.openldap.org/faq/data/cache/1133.html).

Regards,
Buchan