Hi list,
I am currently trying to make it possible for ordinary users to manage their own groups in the following way:
1 Any user can create new groups ("groupOfNames").
1.1 On creation, the creator is set to be the first member and manager of the group (the latter is defined as a single-value attribute (UDBgrpAdmin) for a self defined auxiliary objectClass "UDBgrp").
1.2 Some names should be prohibited from being used for new groups.
2 Group managers can invite any user to the group by adding their DN to the invited list of the group (UDBgrpInvited) and revoke invitations by removing DNs from said list.
2.1 Group managers can kick members from the group.
2.2 Group managers can delete the group.
2.3 Group managers can assign a new manager who has to be a member of the group.
2.4 Group managers can (re)set a description for the group.
3 Invited users can accept or decline the invitation, i.e. remove themselves from the invite list and add themselves to the member list.
4 Group members can leave the group permanently or temporarily. The latter is achieved by moving themselves from the member list to a suspended list (UDBgrpSuspended) which allows them to rejoin the group later (i.e. move themselves back to the member list) without a new invitation.
I have most of the above covered, but I'm struggling with the points 1.1, 2.3 and to some extend 1.2.
1.1 and 2.3: I have no idea if this is even possible, let alone how to achieve it.
1.2: By extending the 'filter' rule that limits the objectClasses for new entries in "ou=Group" I can make a blacklist for 'cn' values, but I'd rather have something in the DIT itself, so I can modify the list without meddling with the server config. This is optional, though, since I don't except the list to change very often.
This is what I've got so far:
http://openldap.pastebin.com/n8P4eKvU
Any help would be appreciated.
Regards, Christian Manal