On Monday, 20 February 2012 23:57:17 Nick Milas wrote: > On 20/2/2012 11:14 μμ, Dieter Klünter wrote: > > The AdminGuide (and slapd.,access(5) clearly say > > [dnattr=<attrname>] > > that is, attribute name is commonName or telephoneNumber, but not an > > attribute value like AdminGroups. > > Thanks Dieter, > > I guess I was not clear enough?
You were clear enough in your requirement, but your approach will not work (and I thought Dieter was clear enough in that regard too). > According to my description, AdminGroups, ReadGroups and SearchGroups > are in fact attributes (of a hypothetical to-be-defined > objectClass:AdminGroupOwnership) and not values. And you also want the values of these attributes to be expanded to the members (of some definition) of the groups (of some definitions). > We add to each entry the objectClass: AdminGroupOwnership and any needed > attributes (AdminGroups, ReadGroups and SearchGroups); these attributes, > I repeat, would have values of the form: > > cn=<someAdmins>,ou=Groups,dc=example,dc=com > > Will it work as expected (to provide access to members of these groups) > if we use rules of the form: > access to <some entries> <some attributes> > by dnattr=AdminGroups write > by dnattr=ReadGroups read > by dnattr=SearchGroups search > ...?? If you were to bind as the 'group' cn=<someAdmins>,ou=Groups,dc=example,dc=com, this would work. But, not if you bind as a 'member' of this group (which I believe is what you want). What you want to do may be achieveable with sets (http://www.openldap.org/faq/data/cache/1133.html). Regards, Buchan
