On 20/2/2012 1:45 μμ, Nick Milas wrote:
I would like to ask the list:
- Can someone demonstrate how we should formulate an ACL which would
accomplish the above? The ACL should say: access to <some entries> <some attribute> by {a DN which belongs to a Group specified in the AdminGroups attr of the entry} write by {a DN which belongs to a Group specified in the ReadGroups attr of the entry} read by {a DN which belongs to a Group specified in the SearchGroups attr of the entry} search
- Is there an existing (included in the distribution or available
from a third-party) schema or similar mechanism available (so that I don't re-invent the wheel)?
Reading through http://www.openldap.org/doc/admin24/access-control.html, I came to the conclusion that this could work if we specify:
access to <some entries> <some attributes> by dnattr=AdminGroups write by dnattr=ReadGroups read by dnattr=SearchGroups search
Will this work if the DNs included in these attributes are, as I have described, of the following form:
cn=<someAdmins>,ou=Groups,dc=example,dc=com
and these are in turn defined as: dn: cn=<someAdmins>,ou=Groups,dc=example,dc=com objectClass: groupOfNames cn: TechAdmins member: uid=<user1>,ou=people,dc=example,dc=com member: uid=<user2>,ou=people,dc=example,dc=com
...??
Please, advise.
Thanks, Nick