Andrew Cobaugh wrote:
On Fri, Mar 6, 2009 at 4:10 PM, Quanah Gibson-Mountquanah@zimbra.com wrote:
If you set the cn value on every group they are supposed to be able to write to, then they'll be able to write to any of those groups. I.e., "this/cn" is the group entry in question. I'm assuming you want them to be able to write to any group they have control of. If you don't, then simply remove the cn=uid value from the group.
Perhaps I didn't articulate my point well enough.
I want them to be able to *create* these entries on their own, they won't be pre-created. So, I want them to be able to create entries under ou=group but only if they are of the form uid:.+
access to dn.exact="ou=group,dc=domain" attrs=children by users write access to dn.regex="cn=(.*):.*,ou=group,dc=domain" by set.expand="$1 & user/uid" write
You'll also need to use OpenLDAP 2.4.13 or newer, to control who can add entries. (See slapd-config(5), olcAddContentAcl)