Am 17.03.2011 18:08, schrieb Tim Gustafson: > Hi, > > I'd like to let users create posixGroup objects, but I don't want them to be > able to pick a gidNumber that is already in use, or that is less than 1000 or > greater than 10000, and I only want the groups to be created in the > ou=Group,dc=example,dc=com container. > > Is this possible with OpenLDAP ACLs? >
Hi, to prevent gidNumber duplicates you probably need slapo-unique. ACLs along these lines should do the rest: access to dn.exact="ou=group,dc=example" attrs=children by users write access to dn.sub="ou=group,dc=example" attrs=entry filter="(&(objectClass=posixAccount)(gidNumber>=1000)(gidNumber<=1000)" by users add Regards, Christian Manal
