Hi
I wanted to run a scenario past everyone to see if there is a better approach to the one I am thinking of implementing.
The OU structure we have is:
+- dc=example,dc=com
+-- ou=accounts
+--- ou=subsidiary1
+--- ou=subsidiary2
+--- ou=special
+--- ou=staff
+--- ou=the-rest
I have two groups defined - one group needs to be able to create new entries under the staff OU, and the other group needs to be able to create new entries under the OUs subsidiary1, subsidiary2 and the-rest. Nobody (except for LDAP admin) should be able to create entries under OU special.
More specifically, I want group members to be able to add new entries but modification and deletion of entries should only be done by the LDAP admin. I may want to allow group members to modify entries in the future but certainly just add for now.
A couple of notes about subsidiary1/subsidiary2:
* they aren't really called that :-)
* more will get added over time, with corresponding changes in permissions required.
In other words, I can't use a regex to match against "subsidiary", but I want an ACL implementation that, if possible, can cope with future OUs being created without modifying the ACLs.
So, my thinking is:
1. Have an ACL that blocks write access to "special".
2. Have an ACL that grants write access to "staff" for members of the staff account managers group.
3. Have one ACL that grants write access to all other OUs for members of the non-staff account managers group.
If that makes sense ...
access to dn.exact="ou=special,ou=accounts,dc=example,dc=com" attrs=children
by * none
access to dn.exact="ou=staff,ou=accounts,dc=example,dc=com" attrs=children
by group="cn=account-mgrs-staff,ou=mailing,ou=groups,dc=example,dc=com" add
by * none
access to dn.sub="ou=staff,ou=accounts,dc=example,dc=com" attrs=entry
by group="cn=account-mgrs-staff,ou=mailing,ou=groups,dc=example,dc=com" add
by * none
How do I do the rules for the other OUs? Can I have just two rules? One to allow access to the children attribute and one to allow access to the entry attribute? If so, it would need to be on the OUs beneath ou=accounts so that members of the group cannot create entries within ou=accounts.
So would this work?
access to dn. attrs=children
by group="cn=account-mgrs-non-staff,ou=mailing,ou=groups,dc=example,dc=com" add
by * none
access to dn.sub="ou=accounts,dc=example,dc=com" attrs=entry
by group="cn=account-mgrs-non-staff,ou=mailing,ou=groups,dc=example,dc=com" add
by * none
I'm not sure if members of account-mgrs-non-staff would be blocked from adding to ou=staff ...
Suggestions or help appreciated.
Regards
Philip