From ando@sys-net.it Sat Oct 27 08:06:18 2007
From: Pierangelo Masarati <ando@sys-net.it>
To: openldap-software@openldap.org
Subject: Re: Access Control by group
Date: Sat, 27 Oct 2007 10:09:40 +0200
Message-ID: <4722F244.8000003@sys-net.it>
In-Reply-To: <4296d7270710261342x760ab552i66652f9bd3687702@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6264877416160945904=="

--===============6264877416160945904==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

Jason Dearborn wrote:
> Ack.
> 
> Just found this:
> http://www.openldap.org/lists/openldap-software/200710/msg00343.html
> and this:
> http://www.mail-archive.com/openldap-software(a)openldap.org/msg08524.html
> 
> Looks like other people are trying to work with posixGroups as well.
> 
> 
> 
> On 10/26/07, Jason Dearborn wrote:
>> I'd like to grant members of an Administrator group full access to
>> everything in LDAP.
>>
>> According to the ldap FAQ, the default objectclass is "groupOfNames" and
>> the default attribute checked is "member".  To match my config I'd need to
>> change the values to "posixGroup" and "memberUid" respectively.  It looks
>> like you can do that with the following syntax:
>>
>> <who> ::= group[/<objectclass>[/<attrname>][.<style>]]=<pattern>]
>>
>> I can't find any examples on the web and I've been
>> unsuccessful experimenting with various syntatical permutations.  slapd
>> won't start with any of the following:
>>
>> access to *
>>     by group/posixGroup="Admins,ou=Group,dc=example,dc=com" write
>>
>> access to *
>>    by group/posixGroup/memberUid="Admins,ou=Group,dc=example,dc=com" write
>>
>> I'm running OpenLDAP 2.2.13-2
>>
>> Has anyone been able to make this work?

It's impossible because in [rd]ecent releases of OpenLDAP software
member attributes can only have distinguishedName (or, unfortunately,
nameAndOptionalUID) syntax, or be or inherit from labeledURI, so
memberUid is not allowed.  The reason is straightforward, if you
consider how group membership is designed in LDAP (not just in
OpenLDAP): members are listed in grouos by their name (the DN), the only
bit that's supposed to be unique.

Many people tried to use memberUid, but I can guarantee they all failed.

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati(a)sys-net.it
---------------------------------------



--===============6264877416160945904==--