[Date Prev][Date Next] [Chronological] [Thread] [Top]

User management

I am developing an application that should permit to users 
to interact with a subtree of the DIT. 
For example, given the node
there is a user called
that can do everything but under that node.
That user can add others users too, to manage zones under 
his zone:
for example, the user admin could add the zone
and define a user smadmin to manage that zone.
After that, admin should be able to see everything under 
the zone ou=Managers,ou=Administration,l=Italy,o=XYZ, 
INCLUDING the zone ou=SuperManagers,... and smadmin only 
the latter.
This operations should not imply to restart the server with 
new acl definitions.
Which is the best/preferred way to do that ?
I was thinking about adding an attribute to every user that 
contains the zone for which he is enabled. For example, the 
user admin should be defined in this way:

dn: cn=admin,ou=applicationUsers,o=XYZ
cn: admin
enabledCtx: ou=Managers,ou=Administration,l=Italy,o=XYZ

and to define an acl that reads enabledCtx.
Are there other ways to do it ? 
Thanks for every suggestion,