Hi all,
I'm trying to set up 'personal' groups with ACLs that allow my users to directly create and modify their own personal group. For me, personal groups are of the form "cn=uid:groupname,ou=group,dc=mydomain"
So far I've had partial success. If the group already exists, the user can modify that entry.
What I'm struggling with is how to allow authenticated users to create entries of the form uid:foo under the group ou, i.e. grant write access to the children of ou=group.
I *think* I can use "by set=<something>", but I haven't quite gotten the grasp of it, and there are very few references to using 'set' online (at least that I've found).
I was hoping someone on this list has either done something like this before, or could point me in the right direction.
I think the set clause should at least be based on something like, set="this/cn & user/uid" but with extra stuff in there to require a colon and one or more characters only.
Ideas?
--andy
--On Friday, March 06, 2009 3:46 PM -0500 Andrew Cobaugh phalenor@gmail.com wrote:
Hi all,
I think the set clause should at least be based on something like, set="this/cn & user/uid" but with extra stuff in there to require a colon and one or more characters only.
Add a second cn value to the entry that matches the uid. That way this/cn would match. cn is multivalued afterall. ;)
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-software@openldap.org