[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Re: Access Control by Organizational Unit?

You were kind enough to suggest a set of ACLs for an
organizational structure which I am trying to put
together using openldap, in mid May.

Since then I have gotten the latest version of the
openldap sw and the bdb software working.  The acl
structure which you suggested works fine which was:

quoting your email:

access to  dn.regex="[^,]*,(ou=.*)" attr=userPassword
       by  self                               ssf=128 
       by  dn.regex="cn=Directory Manager,$1" ssf=128 
       by  *                                  ssf=128 

access to  dn.regex="[^,]*,(ou=.*)"
       by  dn.regex="cn=Directory Manager,$1"  write
       by  *                                   read

access to  dn.regex="(ou=.*)" attr=children
       by  dn.regex="cn=Directory Manager,$1"  write
       by  *                                   read

The "[^,]*," says that the directive applies to
entries directly below
the ou.  It will not work if the OU contains entries
with "," in their
RDN.  Or if you want to give the manager access to
subtrees below the
OU, and you do not have OUs below OUs, use
'dn.regex=.*,(ou=.*)'.  If
that does not fit your organizational structure, I can
probably come up
with a more complicated regex if you tell me what it
should match.

end quoting your email.

All the above works fine, but I realize that now I
need the Directory Manager to be able to create OU's
below the OU of which he is the Directory Manager and
then also to create and change people's cn entries in
that OU.

I can't figure out how to make that set of acl

The structure looks like this:

Directory Manager for ou-one
Person in ou-one
ou one-A Sub ou of ou-one
Person in ou one-A

Directory Manager for ou-two
Person in ou two
ou two-A Sub ou of ou-two
Person in ou-two-A
ou two-B sub ou of ou-two
Person in ou-two-B


Do you Yahoo!?
Friends.  Fun.  Try the all-new Yahoo! Messenger.