[Date Prev][Date Next] [Chronological] [Thread] [Top]

Help with ACLs

To: openldap-technical@openldap.org
Subject: Help with ACLs
From: "David Clarke" <pigwin32@gmail.com>
Date: Wed, 16 Apr 2008 10:42:44 +1200
Content-disposition: inline

Hello and apologies if I'm posting this in the wrong location.

I'm trying to apply some security to my openldap repository and I'm
struggling with how or even if I can express a particular constraint.

I have an ou containing inetOrgPerson's and the person's "o" attribute
is the string value of the organisation "o" to which the user belongs,
e.g. "Some Company Ltd".

e.g. dn=uid=12345679,ou=people,dc=thecompany,dc=co,dc=nz attr o=Some Company Ltd

The organisation "Some Company Ltd" can have subsidiary organisations,
specified by the "owner" attribute of the subsidiary having the "dn"
of owner organisation.

e.g. dn: o=Subsidiary Company
Ltd,ou=organisations,dc=thecompany,dc=co,dc=nz having attr
owner:o=Some Company Ltd,ou=organisations,dc=thecompany,dc=co,dc=nz

What I would like to do is restrict the user to having read access
only to those subsidiary organisations based on the value of the
user's "o" attribute. Is this a reasonable approach or should I be
expressing this differently in my schema?

I hope I've expressed that reasonably clearly. Any help would be much
appreciated.

Follow-Ups:
- Re: Help with ACLs
  - From: "Dieter Kluenter" <dieter@dkluenter.de>

Prev by Date: Fwd: Integrating LDAP with postfix mailserver
Next by Date: DB_CONFIG Problem
Index(es):
- Chronological
- Thread