On 2011-03-17 at 10:08, Tim Gustafson ( tjg@soe.ucsc.edu ) said:
Hi,
I'd like to let users create posixGroup objects, but I don't want them to be able to pick a gidNumber that is already in use, or that is less than 1000 or greater than 10000, and I only want the groups to be created in the ou=Group,dc=example,dc=com container.
Take a look at slapo-unique to enforce gidNumber uniqueness. Last part is definitely doable. As to enforcing a value to be within a certain range, I suppose if you can come up with a regex to match that, it should be possible.
We have something similar, in that users can create groups of the form <user>:<groupname>. Here are the ACLs that make that work:
# allow access to create entries under ou=group access to dn.exact="ou=group,dc=bx,dc=psu,dc=edu" attrs=children by users write by * read
# personal groups access to dn.regex="cn=(.+):.+,ou=group,dc=bx,dc=psu,dc=edu" filter=(|(objectclass=groupofnames)(objectclass=posixgroup)) attrs=member,memberUid by dn.regex="uid=$1,ou=people,dc=bx,dc=psu,dc=edu" write by dn.regex=".*/admin,ou=people,dc=bx,dc=psu,dc=edu" write by group.exact="cn=ldapadmin-groups,ou=group,dc=bx,dc=psu,dc=edu" write by * read --andy