On 20/2/2012 11:14 μμ, Dieter Klünter wrote:
The AdminGuide (and slapd.,access(5) clearly say [dnattr=<attrname>] that is, attribute name is commonName or telephoneNumber, but not an attribute value like AdminGroups.
Thanks Dieter,
I guess I was not clear enough?
According to my description, AdminGroups, ReadGroups and SearchGroups are in fact attributes (of a hypothetical to-be-defined objectClass:AdminGroupOwnership) and not values.
We add to each entry the objectClass: AdminGroupOwnership and any needed attributes (AdminGroups, ReadGroups and SearchGroups); these attributes, I repeat, would have values of the form:
cn=<someAdmins>,ou=Groups,dc=example,dc=com
Will it work as expected (to provide access to members of these groups) if we use rules of the form: access to <some entries> <some attributes> by dnattr=AdminGroups write by dnattr=ReadGroups read by dnattr=SearchGroups search ...??
Thanks, Nick