Don Hoover wrote:
I was wondering if there was a way to write an ACL for a members of the PosixGroup.
I have a simple directory structure of: ou=People,o=myorg (with posixusers) ou=Group,o=myorg (with posixgroups)
I would like to create an ACL that allows users who have a gidNumber of X(say 101) that matches our systems admin group to have write access. And I guess one point is that they are not listed indivudually as "memberOf" entries in the ou=Group cn, they just have a gidNumber that matches a group in there.
I tried:
by group="cn=sysads,ou=Group,o=myorg" write
and
by group.expand="cn=sysads,ou=Group,o=myorg" write
Neither one worked, and in fact I saw an error message of something line: => bdb_entry_get: found entry: "cn=sysads,ou=group,o=myorg"
Mar 28 11:44:59 kyloulapp54dp slapd[5949]: <= bdb_entry_get: failed to find objectClass groupOfNames
Does the group ACL's require a "groupofNames" instead of using posixGroups under an OrganizationUnit?
I was wondering if maybe there some regex maybe I could use to check the gidNumber of the user trying to attempt access? I am not a regex genius so any help would be appreciated.
Not a regex. You could check membership by posixGroup members (memberUid) using sets http://www.openldap.org/faq/data/cache/1133.html.
Something like
access to * by set="user/uidNumber & [cn=group]/memberUid" read
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------