On Sat, Mar 05, 2005 at 12:38:13PM +0100, Petter Reinholdtsen wrote: > Is it > possible to adjust the current LDAP configuration to grant password > change access to a group of LDAP users? I would like to grant such > access to all users in the teacher group.
i was told it was wise to not let every teacher change passwords, so we created the Junior Admins group, which is supposed to contain the teachers capable to change passwords. is that ok? We have a flexible ldap structure where people's roles and group memberships are expressed by the groups they are members of, not the place where their entry is placed in the ldap tree. Now the problem is that we need slapd to do this: members in group A can read/write to certain attributes of entries in group B. members in group C can read/write to certain attributes of entries in group A and B and C. So we filter both the subject and the object of our ACL based on group membership. Since i became aware of the ongoing discussion i consulted again with some openldap deities and was told that even they did not know the answer to this problem. Research is ongoing. There are ACIs which could perhaps solve the problem. http://www.openldap.org/faq/data/cache/634.html ACIs are still experimental and not enabled in the debian packages, because their interface is about to change. we could compile our own openldap packages, see if we wont run into libary compatibility problems and if not deal with the changing interface at a later point in time. > I suspect this is > impossible without changing the structure of the LDAP tree, and we do > not want to do that as it would make the existing installations > incompatible. Alternatively to the present ldap structure we could express the membership in authority groups by placing students in ou=Students,ou=People,..., teachers in ou=Teachers,ou=People, etc. Then a person could not be a teacher and a jradmin/admin at the same time, but we could filter on the regex (eg "Teachers", "Students", "Admins" etc) in the DN to tell what kind of person is trying to access data on which other kind. that would require to rip apart the existing ldap tree and migrate people to different subtrees. i think this could be done in fix_ldif. That would take care of the upgrade path. People would need to create new accounts for jradmins and admins, since it would not be possible to be in more then one authority group any more. do we want this? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
