Hi Nick,
Am Mon, 20 Feb 2012 23:57:17 +0200 schrieb Nick Milas nick@eurobjects.com:
On 20/2/2012 11:14 μμ, Dieter Klünter wrote:
The AdminGuide (and slapd.,access(5) clearly say [dnattr=<attrname>] that is, attribute name is commonName or telephoneNumber, but not an attribute value like AdminGroups.
Thanks Dieter,
I guess I was not clear enough?
According to my description, AdminGroups, ReadGroups and SearchGroups are in fact attributes (of a hypothetical to-be-defined objectClass:AdminGroupOwnership) and not values.
We add to each entry the objectClass: AdminGroupOwnership and any needed attributes (AdminGroups, ReadGroups and SearchGroups); these attributes, I repeat, would have values of the form:
cn=<someAdmins>,ou=Groups,dc=example,dc=com
Will it work as expected (to provide access to members of these groups) if we use rules of the form: access to <some entries> <some attributes> by dnattr=AdminGroups write by dnattr=ReadGroups read by dnattr=SearchGroups search ...??
I don't think so, but I haven't tried it. You want access based on a group membership, thus the membership has to be checked.
-Dieter