Andrew Cobaugh wrote:
On Fri, Mar 6, 2009 at 4:10 PM, Quanah
> If you set the cn value on every group they are supposed to be able to write
> to, then they'll be able to write to any of those groups. I.e.,
> is the group entry in question. I'm assuming you want them to be able to
> write to any group they have control of. If you don't, then simply remove
> the cn=uid value from the group.
Perhaps I didn't articulate my point well enough.
I want them to be able to *create* these entries on their own, they
won't be pre-created. So, I want them to be able to create entries
under ou=group but only if they are of the form uid:.+
access to dn.exact="ou=group,dc=domain" attrs=children
by users write
access to dn.regex="cn=(.*):.*,ou=group,dc=domain"
by set.expand="$1 & user/uid" write
You'll also need to use OpenLDAP 2.4.13 or newer, to control who can add
entries. (See slapd-config(5), olcAddContentAcl)
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/