Access control

[Philip Colmer <philip.colmer@linaro.org>]

I'm trying to get access control for writing to groups as automated as possible, in as much as I would like LDAP to be able to determine who is able to write based on other attributes.

I've been able to successfully do this if I only need to grant access to one or a few individuals, by specifying their DN as a value to an attribute, and then using this ACL:

add: olcAccess

olcAccess: {2}to dn.sub="ou=groups,dc=example,dc=com" by dnattr="owner" write by users read by * none

That works really well - I just add the owner attribute to an object, specify the owner's DN and they can then write to the object.

However, for larger scale permissions, I need to be able to use the membership of a group. Now I've read http://www.openldap.org/faq/data/cache/52.html and seen that you can specify:

access to <what>
        by group/<objectclass>/<attributename>=<DN> <access>

However, that would require me to explicitly set the DN of the group in the access control itself.

What I want/need to be able to do is for LDAP to read the DN of the group that has permission, in the same what that it does with dnattr. I thought that I had read something about this being possible with sets, but slapd.access says that "The statement set=<pattern> is undocumented yet." so I'm not clear if that is the most appropriate way to proceed.

Can someone please advise on how this might be accomplished?

Thanks.

Philip