Hi Nick, Am Mon, 20 Feb 2012 23:57:17 +0200 schrieb Nick Milas <[email protected]>:
> On 20/2/2012 11:14 μμ, Dieter Klünter wrote: > > > The AdminGuide (and slapd.,access(5) clearly say > > [dnattr=<attrname>] > > that is, attribute name is commonName or telephoneNumber, but not an > > attribute value like AdminGroups. > > Thanks Dieter, > > I guess I was not clear enough? > > According to my description, AdminGroups, ReadGroups and SearchGroups > are in fact attributes (of a hypothetical to-be-defined > objectClass:AdminGroupOwnership) and not values. > > We add to each entry the objectClass: AdminGroupOwnership and any > needed attributes (AdminGroups, ReadGroups and SearchGroups); these > attributes, I repeat, would have values of the form: > > cn=<someAdmins>,ou=Groups,dc=example,dc=com > > Will it work as expected (to provide access to members of these > groups) if we use rules of the form: > access to <some entries> <some attributes> > by dnattr=AdminGroups write > by dnattr=ReadGroups read > by dnattr=SearchGroups search > ...?? I don't think so, but I haven't tried it. You want access based on a group membership, thus the membership has to be checked. -Dieter -- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95"N 10°08'02,42"E
