You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by David Filip <df...@colornet.com> on 2021/04/08 13:01:46 UTC

[ApacheDS] ACI Security with Groups?

Dear ApacheDS Community,

With a little help (thanks Stefan!) I've been able to get ACI security working for individual names, but am not sure how to get it working for groups, if that is even possible.

I've set up a group like this within ApacheDS:

  DN: cn=Administrators,ou=groups,o=colornet
	groupOfNames (structural)
	top (abstract)
	Administrators
	cn=David Filip,ou=people,o=colornet
	cn=LDAP Admin,ou=people,o=colornet

so whereas this works in a perscriptiveACI for an individual name:

	userClasses
        {
            name { "cn=LDAP Admin,ou=people,o=colornet" }
        },

I was hoping (fingers crossed) that this might also work for a group;

	userClasses
        {
            name { "cn=Administrators,ou=groups,o=colornet" }
        },

but it does not (no error on LDIF import, but the individual users (cn=David Filip,ou=people,o=colornet, cn=LDAP Admin,ou=people,o=colornet) are not granted any access.

Unfortunately, the online documentation is a little thin around ACIs (mostly still in a TO-DO state, yes I know, patience, Rome wasn't built in a day), so I made a guess at:

	userClasses
        {
            group { "cn=Administrators,ou=groups,o=colornet" }
        },

which did not work (import failed, as the schema didn't know what 'group' was in this context).

As I am not yet proficient at reading and interpreting schema definitions (as presumably my answer is buried somewhere in the schema), can anyone advise as to 1) if groups are supported in ACIs, and 2) if they are, how do I specify them?

In the mean time, yes, this does work (specifying multiple names):

	userClasses
        {
            name { "cn=LDAP Admin,ou=people,o=colornet", "cn=David Filip,ou=people,o=colornet" }
        },

but that defeats the purpose of using a group.

Thanks in advance for any feedback.

Regards,

Dave Filip


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@directory.apache.org
For additional commands, e-mail: users-help@directory.apache.org