[Date Prev][Date Next] [Chronological] [Thread] [Top]

authentication problem

After browsing through a lot of documentation and this list, it still
seems to me that noone has ever had this problem: 

This ist my DIT:

    /     \
   /       \
ou=groups   ou=people
  |             |
group1        user1
group2        user2
...            ...

I need an authentication database for Squid auth. All Users are located
under the "ou=people" branch. Each of them is a uniqueMember in one ore
more groups (which are of the type groupOfUniqueNames). With these
settings everything works really fine with OpenLDAP 1.7 as well as
with OpenLDAP 2.0.

Now I'd like to define users being able to change data of users being in a
specific group. An example:
Lets say I got a user called "fred". fred has got an administrative role
in my department and i want him to be able to change data and group
settings of one group (his department) and of all users who are members of
this group (but not of any other user).
The problem is, though it is easily accomplished to have a group being
able to access a certain subtree (by using the "access to ... by
group=..."), I am not able to define an ACL like:

access to group=... by ...

Thus I am not able to limit access within a certain subtree. 
Furthermore, I do not want to split up the subtree according to the
peoples departments.
Has anyone of you any kind of experience with a similar problem? Any
ideas, workarounds, solutions??

Thanks alot,

Marc Kirchner