Hi,
Just wondering, before I go and delve into the code, whether there was a way of doing group based ACLs in the same way as dnattr allows indirection on the user DN.
Essentially, I'd like an object to contain an attribute holding the DN of the group permitted to access that object, and then be able to do access control based on the user being a member of the group pointed to by that DN.
I can find an email from Kurt in 1999, suggesting a groupattr directive be implemented, and welcoming contributions. Would a contribution of this still be welcomed 9 years later?
Cheers,
Simon.
I'm not sure I'm reading you right, but it sounds like you're hosting:
dn: cn=someObject,dc=example,dc=com groupOfWriters: cn=specialPeople,dc=example,dc=com
dn: cn=specialPeople,dc=example,dc=com uniqueMember: cn=Bob,dc=example,dc=com uniqueMember: cn=Charlie,dc=example,dc=com
Something like that? Well, first off, consider if you can handle this with the simple case -- that is,
access to "cn=someObject,dc=example,dc=com" by group/groupOfUniqueNames/uniqueMember.exact="cn=specialPeople,dc=example,dc=com" write
Try the ACL test that ships with slapd if you want to see that in action. But it sounds like you want this to be dynamic based off groupOfWriters. I think you can do that with a set ACL. Maybe something along the lines of
by set="groupOfWriters/member & user" write
but that's just off the top of my head and quite likely insufficient.
On Wed, 9 Apr 2008, Simon Wilkinson wrote:
Hi,
Just wondering, before I go and delve into the code, whether there was a way of doing group based ACLs in the same way as dnattr allows indirection on the user DN.
Essentially, I'd like an object to contain an attribute holding the DN of the group permitted to access that object, and then be able to do access control based on the user being a member of the group pointed to by that DN.
I can find an email from Kurt in 1999, suggesting a groupattr directive be implemented, and welcoming contributions. Would a contribution of this still be welcomed 9 years later?
Cheers,
Simon.
Aaron Richton wrote:
I'm not sure I'm reading you right, but it sounds like you're hosting:
dn: cn=someObject,dc=example,dc=com groupOfWriters: cn=specialPeople,dc=example,dc=com
dn: cn=specialPeople,dc=example,dc=com uniqueMember: cn=Bob,dc=example,dc=com uniqueMember: cn=Charlie,dc=example,dc=com
Something like that? Well, first off, consider if you can handle this with the simple case -- that is,
access to "cn=someObject,dc=example,dc=com" by group/groupOfUniqueNames/uniqueMember.exact="cn=specialPeople,dc=example,dc=com" write
Try the ACL test that ships with slapd if you want to see that in action. But it sounds like you want this to be dynamic based off groupOfWriters. I think you can do that with a set ACL. Maybe something along the lines of
by set="groupOfWriters/member & user" write
but that's just off the top of my head and quite likely insufficient.
by set="this/groupOfWriters/member & user" write
would probably be more appropriate :)
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
openldap-software@openldap.org
-
Aaron Richton -
Pierangelo Masarati -
Simon Wilkinson