Dominic Cleal's Blog

Fri, 12 Sep 2008 15:02:08 GMT

permalink Handy OpenDS ACI snippet for reading groups

A little ACI snippet for OpenDS (open source LDAP server from Sun) that allows members of a group to read/search/compare a group and attributes except 'member', only if they are a member of the group itself (or a descendent group).

(targetattr!="member")(version 3.0; acl "Group membership read"; allow (read,search,compare) userattr="member#USERDN";)
(targetattr!="member")(version 3.0; acl "Group membership read"; allow (read,search,compare) userattr="member#GROUPDN";)

Many thanks to Ludovic Poitou for his time and assistance on #opends!

Comments for this entry are now closed.