[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Assigning user access to parts of tree

Hi Marco, and thanks again!

Hmm, it seems that I may have stated the original problem in a methid
which could cause confusion.  Here's the real scenario:

- I have my top-level domain, say "dn:dc=abcd,dc=com"

- Within this I create an ou called virtualDomain thus:


- Within this I create a number of virtual domains, e.g.


Now I'd need each of these to be administered by a different person;
the scenario is that of a web/mail hosting company which is hosting
multiple domains, one each per client.  The client should have
complete access to read/write each domain's information.  The client's 
authentication/authorisation information and password must also be
stored in the LDAP database itself, so that s/he has the option of
changing it at will.

To further complicate matters, within each virtualDomain there will be 
multiple virtualEmailUser's , each of whom will /also/ need their own
authentication in order to be able to change their POP password,
auto-reply file, etc.  Naturally, the domain owner must have "super-user"
permissions on this whole domain subtree (including the email users'

Perhaps I'm just slow in catching on, but is this possible with either 
of the schemes which you're suggesting?


-- Raju

>>>>> "Marco" == Marco Ferrante <ferrante@unige.it> writes:

    >> Hi Marco,
    Marco> Hi,
    >> Thanks for the quick and detailed reply.  However if I
    >> understand you rightly, these access permissions go into the
    >> slapd.conf.  Is there any way of mainatining these permissions
    >> within the LDAP database itself?

    Marco> 	by this methods you have to set slapd.conf only one
    Marco> time, then you can control access editing entries directly.
    Marco> With method using "groupsOfNames", every time you add a
    Marco> entry called "cn=RWusers, ..." under a subtree and put a DN
    Marco> in a "member" attribute value of this entry, this DN can
    Marco> read and write every object under the subtree.  Ex:

    Marco> SLAPD.CONF:

    Marco> 	access to dn="(.*),ou=(.*),dc=abcd,dc=com" by self
    Marco> write by group="cn=RWusers,$2,dc=abcd,dc=com" write by
    Marco> group="cn=ROusers,$2,dc=abcd,dc=com" read

    Marco> LDIF:

    Marco> 	dn: cn=RWusers,ou=virtualDomain,dc=abcd,dc=com cn:
    Marco> RWusers ou: ou=virtualDomain member:
    Marco> cn=userA,ou=adomain,,dc=abcd,dc=com member:
    Marco> cn=userC,ou=anotherdomain,,dc=abcd,dc=com ... other stuff
    Marco> ...

    Marco> every user that bind with a DN listed in "member", can
    Marco> write in ou=virtualDomain,dc=abcd,dc=com subtree.  You can
    Marco> add and remove values from the entry without touch
    Marco> SLAPD.CONF.

    Marco> 	With second method ACL also depend on entries, in a
    Marco> more performant but less flexible way.
    Marco> Bye
    Marco> --------------------------------------------------------
    Marco> Marco Ferrante (ferrante@unige.it) CSITA (Centro Servizi
    Marco> Informatici e Telematici d'Ateneo) Università degli Studi
    Marco> di Genova - Italy Viale Brigata Salerno - 16147 Genova tel
    Marco> (+39) 0103532621 (interno tel. 2621)
    Marco> --------------------------------------------------------