Am Thu, 17 Mar 2011 12:01:15 -0700 schrieb sim123 <[email protected]>:
> Hi There, > > I want "n" number of groups (or similar structure which keeps member > information) to be created and only group members have access to those > groups. Members are defined in separate user branch so my DIT look > like > > dc=example,dc=com > +--ou=people,dc=example,dc=com > +----uid=bjanson,ou=users,dc=example,dc=com > +----uid=matt,ou=users,dc=example,dc=com > +--cn=group1,dc=example,dc=com (groupOfNames) > +----cn=subgroup1,dc=example,dc=com (groupOfNames) > > now users bjanson and matt are member of group1, only bjanson is > member of subgroup1. I would like to have ACL defined so only members > can access their group. I don't need any ACL on subgroup as long as > only all members of parent group can access it. > > Is it possible to do that in generic form because basic ACL syntax > needs dn/filter in "access to " clause. In my example if I have n > groups I will end up having n access control syntax in slapd.conf, > which doesn't sound a good idea. > > Also, I don't need to use groups as such but groupOfNames/ groupOd > UniqueNames are the only classes which support member attribute. > Please let me know if there is any other objectClass I should use. > > Thanks for all the help and support, I appreciate it very much. You may use the almost undocumented access control by sets http://www.openldap.org/faq/data/cache/1133.html http://www.openldap.org/faq/data/cache/1134.html This documents provide some examples. -Dieter -- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95"N 10°08'02,42"E
