On Monday, 20 February 2012 23:57:17 Nick Milas wrote:
On 20/2/2012 11:14 μμ, Dieter Klünter wrote:
The AdminGuide (and slapd.,access(5) clearly say [dnattr=<attrname>] that is, attribute name is commonName or telephoneNumber, but not an attribute value like AdminGroups.
Thanks Dieter,
I guess I was not clear enough?
You were clear enough in your requirement, but your approach will not work (and I thought Dieter was clear enough in that regard too).
According to my description, AdminGroups, ReadGroups and SearchGroups are in fact attributes (of a hypothetical to-be-defined objectClass:AdminGroupOwnership) and not values.
And you also want the values of these attributes to be expanded to the members (of some definition) of the groups (of some definitions).
We add to each entry the objectClass: AdminGroupOwnership and any needed attributes (AdminGroups, ReadGroups and SearchGroups); these attributes, I repeat, would have values of the form:
cn=<someAdmins>,ou=Groups,dc=example,dc=comWill it work as expected (to provide access to members of these groups) if we use rules of the form: access to <some entries> <some attributes> by dnattr=AdminGroups write by dnattr=ReadGroups read by dnattr=SearchGroups search ...??
If you were to bind as the 'group' cn=<someAdmins>,ou=Groups,dc=example,dc=com, this would work. But, not if you bind as a 'member' of this group (which I believe is what you want).
What you want to do may be achieveable with sets (http://www.openldap.org/faq/data/cache/1133.html).
Regards, Buchan