James Tran writes:
i want to be able to make a group that is authorized to be admins to the ldap database but it seems i cant do it with posixgroups.
Strictly speaking the 'admin' is admin the rootdn given in slapd.conf. But if you mean to give full read and write access:
You can use "sets". They are still marked experimental, but are described in http://www.openldap.org/faq/data/cache/1133.html.
This is all written without testing, but it would be something like this:
access to * by set="user/uid & [cn=admins,cn=filegroups,dc=example,dc=com]/memberUid" set="user/objectClass & [posixGroup]" write by ...
I.e. anyone with (a) an uid attribute matching a memberUid attribute in the admin group + (b) a 'posixGroup' in objectClass.
However, note that if you grant access based on an attribute in the user's entry then anyone with write access to that attribute in some entry can add that entry to your admin group. E.g. if you add 'by self write', anyone can add themselves to the group. And anyone who can add an entry, can include an admin's uid in the entry.
If nobody can modify the uid attribute, that stops the former problem: access to attrs=uid by <the admin set above> write by * read
If others can add entries, that acl doesn't keep them out. But if e.g. only DNs below cn=users,dc=example,dc=com are admins and others with add access can't add entries there, you could instead use
access to * by dn.onelevel=cn=users,dc=example,dc=com set="user/uid & [cn=admins,cn=filegroups,dc=example,dc=com]/memberUid" set="user/objectClass & [posixGroup]" write by ...
An alternative is to construct the user's DN in the set: by set="user & ([uid=] + [cn=admins,cn=filegroups,dc=example,dc=com]/memberUid + [,cn=users,dc=example,dc=com])" or: by set="(user & ([uid=] + [cn=admins,cn=filegroups,dc=example,dc=com]/memberUid + [,cn=users,dc=example,dc=com]) )/objectClass & [posixGroup]"