Hi There,
I want "n" number of groups (or similar structure which keeps member information) to be created and only group members have access to those groups. Members are defined in separate user branch so my DIT look like
dc=example,dc=com +--ou=people,dc=example,dc=com +----uid=bjanson,ou=users,dc=example,dc=com +----uid=matt,ou=users,dc=example,dc=com +--cn=group1,dc=example,dc=com (groupOfNames) +----cn=subgroup1,dc=example,dc=com (groupOfNames)
now users bjanson and matt are member of group1, only bjanson is member of subgroup1. I would like to have ACL defined so only members can access their group. I don't need any ACL on subgroup as long as only all members of parent group can access it.
Is it possible to do that in generic form because basic ACL syntax needs dn/filter in "access to " clause. In my example if I have n groups I will end up having n access control syntax in slapd.conf, which doesn't sound a good idea.
Also, I don't need to use groups as such but groupOfNames/ groupOd UniqueNames are the only classes which support member attribute. Please let me know if there is any other objectClass I should use.
Thanks for all the help and support, I appreciate it very much.
Am Thu, 17 Mar 2011 12:01:15 -0700 schrieb sim123 Sim3159@gmail.com:
Hi There,
I want "n" number of groups (or similar structure which keeps member information) to be created and only group members have access to those groups. Members are defined in separate user branch so my DIT look like
dc=example,dc=com +--ou=people,dc=example,dc=com +----uid=bjanson,ou=users,dc=example,dc=com +----uid=matt,ou=users,dc=example,dc=com +--cn=group1,dc=example,dc=com (groupOfNames) +----cn=subgroup1,dc=example,dc=com (groupOfNames)
now users bjanson and matt are member of group1, only bjanson is member of subgroup1. I would like to have ACL defined so only members can access their group. I don't need any ACL on subgroup as long as only all members of parent group can access it.
Is it possible to do that in generic form because basic ACL syntax needs dn/filter in "access to " clause. In my example if I have n groups I will end up having n access control syntax in slapd.conf, which doesn't sound a good idea.
Also, I don't need to use groups as such but groupOfNames/ groupOd UniqueNames are the only classes which support member attribute. Please let me know if there is any other objectClass I should use.
Thanks for all the help and support, I appreciate it very much.
You may use the almost undocumented access control by sets http://www.openldap.org/faq/data/cache/1133.html http://www.openldap.org/faq/data/cache/1134.html This documents provide some examples.
-Dieter
On Thu, Mar 17, 2011 at 09:20:59PM +0100, Dieter Kluenter wrote:
I want "n" number of groups (or similar structure which keeps member information) to be created and only group members have access to those groups. Members are defined in separate user branch so my DIT look like
dc=example,dc=com +--ou=people,dc=example,dc=com +----uid=bjanson,ou=users,dc=example,dc=com +----uid=matt,ou=users,dc=example,dc=com +--cn=group1,dc=example,dc=com (groupOfNames) +----cn=subgroup1,dc=example,dc=com (groupOfNames)
I assume that last DN should be cn=subgroup1,cn=group1,dc=example,dc=com
now users bjanson and matt are member of group1, only bjanson is member of subgroup1. I would like to have ACL defined so only members can access their group. I don't need any ACL on subgroup as long as only all members of parent group can access it.
Be careful here: LDAP is not like a filesystem. Protecting one node does not automatically protect the nodes beneath it.
Is it possible to do that in generic form because basic ACL syntax needs dn/filter in "access to " clause. In my example if I have n groups I will end up having n access control syntax in slapd.conf, which doesn't sound a good idea.
You can use regex matching to write one rule that controls many groups. With a bit of thought you can probably handle the subgroups in the same rule (use the regex capture syntax to derive the DN of the master group so that you can use it in the 'by whom' part of the rule).
Also, I don't need to use groups as such but groupOfNames/ groupOd UniqueNames are the only classes which support member attribute. Please let me know if there is any other objectClass I should use.
I would avoid the uniqueNames type. You may want to define your own objectclass making 'member' an optional attribute so that you can have empty groups.
You may use the almost undocumented access control by sets http://www.openldap.org/faq/data/cache/1133.html http://www.openldap.org/faq/data/cache/1134.html This documents provide some examples.
Sets are very powerful, but may not be needed for this job.
Andrew
openldap-technical@openldap.org
-
Andrew Findlay -
Dieter Kluenter -
sim123