Hi all, I'm in the process of migrating from NIS to FDS and I'm running into problems implementing our requirements for access control under Fedora. The behaviour I'm trying to replicate is as follows; our current NIS administration tool allows the creation of users who are designated as group administrators. These are normal users who can modify user details and create users in NIS, but only for users who are in the same group as the group administrator. The DIT we're currently using is currently flatish, with three branches at the root; one for users (dn: ou=people,ou=foo), one for groups (dn: ou=groups,ou=foo), and one for other NIS maps (dn: ou=nis, ou=foo). Users and groups have been imported from NIS as RFC2307 posixAccounts and posixGroups. e.g.: dn: uid=test,ou=people,ou=foo givenName: Nemo loginShell: /bin/bash uidNumber: 1000 gidNumber: 1000 objectClass: posixAccount objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: shadowAccount uid: test cn: Nemo (GJB) homeDirectory: /homes/test dn: cn=servers,ou=groups,ou=foo gidNumber: 1000 memberUid: bar memberUid: baz objectClass: posixgroup objectClass: top cn: servers We plan to use PADL's ypldapd for legacy NIS. In addition to the NIS groups, I've created a groupofUniqueNames object (dn: cn=grp_admin,ou=groups,ou=foo) to list those users who are our group administrators. So far I've got the following (working) ACI on the ou=groups,ou=foo entry: (targetattr = "memberUid") (target = "ldap:///cn=*,ou=groups,ou=foo";) ( version 3.0; acl "group edit by admin's"; allow (write) ( groupdn = "ldap:///cn=admin,ou=groups,ou=foo"; and userattr = "gidnumber#1000" ); ) Which as long as users are in grp_admin and have a gidnumber of 1000, allows addition/deletion of users from the group. But this doesn't strike me as being very elegant as it requires a seperate ACI for each group. What I'd prefer is something similar to the following: (targetattr = "memberUid") (target = "ldap:///cn=*,ou=groups,ou=foo";) ( version 3.0; acl "group edit by admin's"; allow (write) ( groupdn = "ldap:///cn=admin,ou=groups,ou=foo"; and userattr = "gidnumber#($attr.gidnumber)" ); ) Using the ($attr.gidnumber) macro to matchup the user's GID and the groups GID. Is it possible to do something like this, or am I missing an obvious solution? Likewise, I have an ACI for restricting the creation of users to have the same group as the creator (in this case GID 1000): (targetattrfilter = "add=gidnumber:(gidnumber=1000)") (target = "ldap:///ou=people,ou=foo";) ( version 3.0; acl "user edit by admin's - restrict GID to admin's"; allow (add) ( groupdn = "ldap:///cn=admin,ou=groups,ou=foo"; and userattr = "gidnumber#1000" ); ) But again it suffers from the problem affecting the group ACI, requiring an ACI per group. Any help would be welcomed. -- Jonathan Barber -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
