[Date Prev][Date Next]
Re: Maintaining information about who owns what..
--On Saturday, December 11, 2004 11:33 PM -0600 firstname.lastname@example.org wrote:
I am using OpenLDAP 2.2.
I have two types of entries in our directory: people and accounts. I want
be able to easily determine which accounts are owned by which people. (A
people entry belongs to one actual person, while a person may own several
accounts.) The current thinking is to use a local objectclass and
(localAccount). So we may have:
And our account:
This way its easy to map back and forth between entries.
I would think that locating which accounts belong to which people is a
common occurance. It can be difficult to enforce a one person/one account
rule in many organizations.
OpenLDAP supports sets, which can allow you to do this type of thing. Do
people bind into the directory as one of their accounts? If so, it might
look something like:
access to dn.children="cn=people....."
by set.exact="this/localAccount & user/dn" read
or if they bind to the people tree
access to dn.children="cn=account..."
by set.exact="this/localPerson & user/dn" read
Those may be a bit incorrect, but hopefully you get the idea.
Principal Software Developer
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html