[Date Prev][Date Next] [Chronological] [Thread] [Top]

Access Control (ACL vs. ACI)

    First, a little background: I want to demo an LDAP-based communications 
directory for a charitable organization that has over 80 different 
departments, branches, and location, all of which are semi-autonomous, and 
are expected to keep track of personal changes on their own. Imagine 
something like this:
    Department A: UK
    Department B: USA
    Department C: France
Department A should be able to edit only the personal that belong to it, and 
not those who belong in B or C. The easy (albeit ungraceful and problematic) 
way would be to create a tree where the personal are children of the 
departments, and then just assign ACLs that way. However, since there is some 
movement between departments, any time someone moved from, say, A to B, their 
entry under A would have to be deleted and recreated under B.
    So then I thought I could use ACI. I could have two trees, say People (a 
flat list), and Departments. Every person would have an attribute (say o=A) 
and any department that had a matching attribute would be able to edit that 
entry. So the first question is, is this a good idea? If so, what exactly 
would the ACI look like? I'm guessing something like:

OpenLDAPaci: 1#entry#grant;r,w,s,c;[all]#?#o=A,ou=Departments,dn=acme

I've looked at http://www.openldap.org/faq/data/cache/634.html, but I'm not 
exactly sure what type to use, hence the question mark. Other suggestions 
welcomed. I'm using OpenLDAP 2.2.23 on Debian Sarge.