patternMinor
acl to allow nested groups in owner attribute
Viewed 0 times
ownergroupsaclallownestedattribute
Problem
I'm trying to create an ACL entry to allow users specified in the
I've got this rule, which allows admin access to nested members of a specific group:
And I've got this rule which works for granting management permissions to users that are directly specified as owners:
but so far I haven't been able to figure out how to combine the two concepts to allow specifying groups as owners. Anyone gotten something like this working?
owner attribute of a group to manage the group, and also allow groups, including nested groups to be specified as owners.I've got this rule, which allows admin access to nested members of a specific group:
{0}to by ssf=128 set="user & [cn=Administrators,ou=LDAP,dc=Applications,dc=example,dc=com]/member" manage by * breakAnd I've got this rule which works for granting management permissions to users that are directly specified as owners:
{2}to dn.children="dc=Groups,dc=example,dc=com" by ssf=128 set="user & this/owner" managebut so far I haven't been able to figure out how to combine the two concepts to allow specifying groups as owners. Anyone gotten something like this working?
Solution
Almost as soon as I posted the question, I saw the dumb mistake I made -- I forgot to include the permission to be granted in the acl entry. This entry is tested and works for users as owners, as well as groups and nested groups as owners (with a break-through so non-owners aren't rejected outright):
to dn.children="dc=Groups,dc=example,dc=com" by ssf=128 set="user & this/owner" manage by ssf=128 set="user & this/owner/member" manage by * breakContext
StackExchange Database Administrators Q#1627, answer score: 4
Revisions (0)
No revisions yet.