> to prevent gidNumber duplicates you probably need slapo-unique. That works well; here's my configuration:
overlay unique unique_uri ldap:///ou=Group,dc=example?cn?sub? unique_uri ldap:///ou=Group,dc=example?gidNumber?sub? > ACLs along these lines should do the rest: > > access to dn.exact="ou=group,dc=example" attrs=children > by users write > > access to dn.sub="ou=group,dc=example" attrs=entry > filter="(&(objectClass=posixAccount)(gidNumber>=1000)(gidNumber<=1000)" > by users add I already have this: access to dn.subtree="ou=Group,dc=example" attrs=manager,memberUid,description,myStatus,myComment by set="this/manager & user" write by * break (My groups all have an additional objectClass, myGroup, which adds a manager, description, myStatus and myComment attribute to groups.) Will the ACLs you propose break that? It doesn't look like they will; I just want to make sure. Tim Gustafson Baskin School of Engineering UC Santa Cruz [email protected] 831-459-5354
