[Date Prev][Date Next] [Chronological] [Thread] [Top]

DN design - yet another newbie question

(this is a re-post from the openldap-general list)


I have been told that it is good to keep the DN's as simple as possible. With this in mind, can the ACL/Security be set based on attributes?

If my DN is something like this:

employeeId=1234, o=Four Seasons Produce, c=US

Can I set security to something like this:
Allow viewing of attribute (x) from DN with attribute (y).

or must I create a DN like this:
ou=Manager, ou=Virginia, employeeId=1234, o=Four Seasons Produce, c=US

Some specifics about what I am trying to accomplish are:
We have multiple geographic locations and want to allow managers the ability to change certain information for their subordinates only. Also we want to ensure that people at one location only have limited access to the information about people at another location.

Thanks in advance,
- Bennett