[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL for multiple groups

To: <eg_ymc@stu.ust.hk>
Subject: Re: ACL for multiple groups
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Fri, 26 Jan 2001 21:24:45 -0800
Cc: openldap-software@OpenLDAP.org
In-reply-to: <200101261519.XAA08494@webmailc.ust.hk>

At 11:19 PM 1/26/01 +0800, eg_ymc@stu.ust.hk wrote:
>Dear all,
>
>I have to develop a directory for multiple groups. Each group has different access control rights. If a user is a member of several groups, which access control right should he have? Does he have the greatest right among all group (say, the write right is greater than the read)?

In OpenLDAP 2.0, you can use the experimental ACL additive permissions
and clause controls.  See http://www.openldap.org/faq/index.cgi?file=447
and tests/data/slapd-acl.conf for an example.   See the 1.2 faq for
examples on group ACLs.

In 1.2 (and 2.0 without the above), you need to order group
checks so that the first matched clause is what you want.
That is, check for ou=senior manager before ou=sales before
individual rights.


>For example, John is a member of sales group and a member of senior manager group (see the table).
>__________________________________________
>John DN: uid = john, ou = staff, dc=abc, dc=com
>He has right to compare customer information 
>__________________________________________
>Sales DN: ou=sales, dc=abc, dc=com
>member: uid = john, ou = staff, dc=abc, dc=com
>This group has right to read customer information 
>__________________________________________
>Sales DN: ou=senior manager, dc=abc, dc=com
>member: uid = john, ou = staff, dc=abc, dc=com
>This group has right to write customer information 
>__________________________________________
>
>When John logins , what is the access right of John?

References:
- ACL for multiple groups
  - From: <eg_ymc@stu.ust.hk>

Prev by Date: Re: About Password
Next by Date: OpenLDAP + SASL - incorporating sasldb
Index(es):
- Chronological
- Thread