Dmitriy Kirhlarov wrote:
Hi, list
Now we are using ldap-tree for auth several services on many hosts. We have two types of admins (admin1 and admin2 roles) and I want separate permissions:
- admin1 can edit cn=usergroup1, but can't edit cn=usergroup2.
- admin2 can edit both.
(I know how I can do it).
check man 5 slapd.access
Next. User can be registered in both groups, or just in one. We are developing our own ldap admin-tool for usermanagement. When user gone, we removing his id from all groups and lock his account. Usualy, this is work for admin1.
We need this behavior of our tool: If we can't remove user id from some group (inusufficient access), we do nothing. Just answer to admin1 "You can't remove user from group2 -- ask admin2".
For this behavior we need either transactions or some easy way to check our access rights for all entries which we want to modify.
Afaik, transactions are not feasible for our case. What about checking access rights on client side without performing modification itself?
WBR
Erlend