I'm trying to get access control for writing to groups as automated as
possible, in as much as I would like LDAP to be able to determine who is
able to write based on other attributes.
I've been able to successfully do this if I only need to grant access to
one or a few individuals, by specifying their DN as a value to an
attribute, and then using this ACL:
add: olcAccess
olcAccess: {2}to dn.sub="ou=groups,dc=example,dc=com" by dnattr="owner"
write by users read by * none
That works really well - I just add the owner attribute to an object,
specify the owner's DN and they can then write to the object.
However, for larger scale permissions, I need to be able to use the
membership of a group. Now I've read
http://www.openldap.org/faq/data/cache/52.html and seen that you can
specify:
access to <what>
by group/<objectclass>/<attributename>=<DN> <access>
However, that would require me to explicitly set the DN of the group in the
access control itself.
What I want/need to be able to do is for LDAP to read the DN of the group
that has permission, in the same what that it does with dnattr. I thought
that I had read something about this being possible with sets, but
slapd.access says that "The statement set=<pattern> is undocumented yet."
so I'm not clear if that is the most appropriate way to proceed.
Can someone please advise on how this might be accomplished?
Thanks.
Philip
