Dear ApacheDS Community,
With a little help (thanks Stefan!) I've been able to get ACI security working
for individual names, but am not sure how to get it working for groups, if that
is even possible.
I've set up a group like this within ApacheDS:
DN: cn=Administrators,ou=groups,o=colornet
groupOfNames (structural)
top (abstract)
Administrators
cn=David Filip,ou=people,o=colornet
cn=LDAP Admin,ou=people,o=colornet
so whereas this works in a perscriptiveACI for an individual name:
userClasses
{
name { "cn=LDAP Admin,ou=people,o=colornet" }
},
I was hoping (fingers crossed) that this might also work for a group;
userClasses
{
name { "cn=Administrators,ou=groups,o=colornet" }
},
but it does not (no error on LDIF import, but the individual users (cn=David
Filip,ou=people,o=colornet, cn=LDAP Admin,ou=people,o=colornet) are not granted
any access.
Unfortunately, the online documentation is a little thin around ACIs (mostly
still in a TO-DO state, yes I know, patience, Rome wasn't built in a day), so I
made a guess at:
userClasses
{
group { "cn=Administrators,ou=groups,o=colornet" }
},
which did not work (import failed, as the schema didn't know what 'group' was
in this context).
As I am not yet proficient at reading and interpreting schema definitions (as
presumably my answer is buried somewhere in the schema), can anyone advise as
to 1) if groups are supported in ACIs, and 2) if they are, how do I specify
them?
In the mean time, yes, this does work (specifying multiple names):
userClasses
{
name { "cn=LDAP Admin,ou=people,o=colornet", "cn=David
Filip,ou=people,o=colornet" }
},
but that defeats the purpose of using a group.
Thanks in advance for any feedback.
Regards,
Dave Filip
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@directory.apache.org
For additional commands, e-mail: users-h...@directory.apache.org
