Don Hoover wrote:
I was wondering if there was a way to write an ACL for
a members of the PosixGroup.
I have a simple directory structure of:
ou=People,o=myorg (with posixusers)
ou=Group,o=myorg (with posixgroups)
I would like to create an ACL that allows users who
have a gidNumber of X(say 101) that matches our
systems admin group to have write access. And I guess
one point is that they are not listed indivudually as
"memberOf" entries in the ou=Group cn, they just have
a gidNumber that matches a group in there.
I tried:
by group="cn=sysads,ou=Group,o=myorg" write
and
by group.expand="cn=sysads,ou=Group,o=myorg" write
Neither one worked, and in fact I saw an error message
of something line:
=> bdb_entry_get: found entry:
"cn=sysads,ou=group,o=myorg"
Mar 28 11:44:59 kyloulapp54dp slapd[5949]: <=
bdb_entry_get: failed to find objectClass groupOfNames
Does the group ACL's require a "groupofNames" instead
of using posixGroups under an OrganizationUnit?
I was wondering if maybe there some regex maybe I
could use to check the gidNumber of the user trying to
attempt access? I am not a regex genius so any help
would be appreciated.
Not a regex. You could check membership by posixGroup members
(memberUid) using sets <http://www.openldap.org/faq/data/cache/1133.html>.
Something like
access to *
by set="user/uidNumber & [cn=group]/memberUid" read
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: [EMAIL PROTECTED]
---------------------------------------
