[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access Control by Organizational Unit?

Heather Lockridge writes:
> I would like to implement an ldap scheme so that each
> department which is an organizational unit has a
> person who can control the entries for their
> department and no others.  
> By this I mean that that person will have the right to
> add/delete/modify entries in their own ou only.

This is untested, but: You can give the manager entries below each OU
the same RDN, e.g. cn=Directory Manager, and use an access controls

access to  dn.regex="[^,]*,(ou=.*)" attr=userPassword
       by  self                               ssf=128  write
       by  dn.regex="cn=Directory Manager,$1" ssf=128  write
       by  *                                  ssf=128  auth

access to  dn.regex="[^,]*,(ou=.*)"
       by  dn.regex="cn=Directory Manager,$1"  write
       by  *                                   read

access to  dn.regex="(ou=.*)" attr=children
       by  dn.regex="cn=Directory Manager,$1"  write
       by  *                                   read

The "[^,]*," says that the directive applies to entries directly below
the ou.  It will not work if the OU contains entries with "," in their
RDN.  Or if you want to give the manager access to subtrees below the
OU, and you do not have OUs below OUs, use 'dn.regex=.*,(ou=.*)'.  If
that does not fit your organizational structure, I can probably come up
with a more complicated regex if you tell me what it should match.

The $1 matches the first "()" in the "to" phrase, i.e. DN of the OU.

What the first directive should look like depends on who should
be able to access userPassword in which manner.  The important
point is to ensure that unauthorized users will not see userPassword.
If the manager does not need to be able to update it (after creating
the entry), you can delete the parts about dn.regex for userPassword.

The Directory Manager entry could be something like

  dn: cn=Directory Manager,ou=foobar,dc=urgle,dc=com
  cn: Directory Manager
  objectClass: organizationalRole
  objectClass: simpleSecurityObject
  userPassword: {CRYPT}some-crypt
  # other attributes which you might add for informational purposes
  roleOccupant: uid=whoops,ou=foobar,dc=urgle,dc=com
  telephoneNumber: +1 234 5678
  description: Manager of the LDAP directory for this department

Another way would be to register in each entry an OpenLDAPaci attribute
which gives access to the manager of the OU, and ACIs for the OUs that
the manager can update the children.  But if someone else becomes
directory manager for an OU, you must then change all the ACIs for that
OU - unless you use a special name like Directory Manager for the
manager.  Also you need an 'access ... by aci' directive in slapd.conf,
and to configure with '--enable-aci'.

> Does anyone have any examples of how to do this while
> allowing the overall ldap-admin acces to all?  Or a
> pointer to some (any) examples?

The DN in a database definition's a 'rootdn' has full access to the
database regardless of access controls.  The rootdn entry need not
actually exist in the database, though it must be a DN below the
database's suffix.