Hi everybody,
I´m trying to write some admintool for my ldap in php. Changes to entries of other people should only be possible by members of the group "Domain Admins" So I wrote some phpcode which checks if the provided username (via Webbrowser) is a member of "Domain Admins"
"Domain Admins" is created by samba and a normal posixGroup/sambaGroupMapping. All members of the group are listed via "memberUid".
But at the same time there is a LDAP ACL used like this:
access to dn.subtree="ou=Groups,dc=example,dc=de" by group="cn=Domain Admins,ou=groups,dc=example,dc=de" write by dn="uid=backup,ou=users,dc=example,dc=de" read by users none by * none
A internal policy prohibits normal users access to the Groups subtree. I added the "by group" line, but then realised that it can not work this way.
A usersearch like "search if memberUid=x is member of "Domain Admins" needs the rights for a search in ou=groups. But the only stored attribute per users is the memberUid, not the complete DN.
The DN of a possible user is something like "uid=x,ou=users,dc=example,dc=de"
Is there a possibility to use the existing "Domain Admins" group for user authentication, even if there are only memberUids stored and not complete dn? I don´t want to add all Domain Admins to the ACL above one by one. A change in the members would also lead to a change in the ACl if it would be done this way.
Best regards, Florian Götz
---------------------------------------------------------------------------------------- Dipl.-Inf. (FH) Florian Götz Rechenzentrum Hochschule Mannheim Paul-Wittsack-Straße 10 68163 Mannheim Tel: 0621/292-6232
EMail: f.goetz@hs-mannheim.de Internet: http://www.rz.hs-mannheim.de
-----