HiveBrain v1.2.0
Get Started
← Back to all entries
patternMinor

acl to allow nested groups in owner attribute

Submitted by: @import:stackexchange-dba··
0
Viewed 0 times
ownergroupsaclallownestedattribute

Problem

I'm trying to create an ACL entry to allow users specified in the owner attribute of a group to manage the group, and also allow groups, including nested groups to be specified as owners.

I've got this rule, which allows admin access to nested members of a specific group:

{0}to by ssf=128 set="user & [cn=Administrators,ou=LDAP,dc=Applications,dc=example,dc=com]/member" manage by * break

And I've got this rule which works for granting management permissions to users that are directly specified as owners:

{2}to dn.children="dc=Groups,dc=example,dc=com" by ssf=128 set="user & this/owner" manage

but so far I haven't been able to figure out how to combine the two concepts to allow specifying groups as owners. Anyone gotten something like this working?

Solution

Almost as soon as I posted the question, I saw the dumb mistake I made -- I forgot to include the permission to be granted in the acl entry. This entry is tested and works for users as owners, as well as groups and nested groups as owners (with a break-through so non-owners aren't rejected outright):

to dn.children="dc=Groups,dc=example,dc=com" by ssf=128 set="user & this/owner" manage by ssf=128 set="user & this/owner/member" manage by * break

Context

StackExchange Database Administrators Q#1627, answer score: 4

Revisions (0)

No revisions yet.