How to grant write access to an object to a group defined in an attribute of the object


I'm trying to get access control for writing to groups as automated as possible, in as much as I would like LDAP to be able to determine who is able to write based on other attributes.

I've been able to successfully do this if I only need to grant access to one or a few individuals, by specifying their DN as a value to an attribute, and then using this ACL:

add: olcAccess
olcAccess: {2}to dn.sub="ou=groups,dc=example,dc=com" by dnattr="owner" write by users read by * none

That works really well – I just add the owner attribute to an object, specify the owner's DN and they can then write to the object.

However, for larger scale permissions, I need to be able to use the membership of a group. Now I've read and seen that you can specify:
access to
by group//=
However, that would require me to explicitly set the DN of the group in the access control itself.

What I want/need to be able to do is for LDAP to read the DN of the group that has permission, in the same what that it does with dnattr. I thought that I had read something about this being possible with sets, but slapd.access says that "The statement set= is undocumented yet." so I'm not clear if that is the most appropriate way to proceed.

Can someone please advise on how this might be accomplished?



Best Answer

Here is the answer to this.

The group has an attribute called owner. That attribute can be the DN of an individual, or of a group if the group membership uses an attribute called uniqueMember, and that is the DN of an individual.

The access rule is:

access to dn.sub="ou=groups,dc=example,dc=com"
     by dnattr="owner" write
     by set="this/owner/uniqueMember & user" write
     by * none
Related Topic