[Date Prev][Date Next]
access control question
[Apologies if this arrives twice; I sent it yesterday but I didn't get a
copy back from the list, nor is there a copy at www.mail-archive.com.]
I have a slightly unusual access control requirement which I'd
appreciate some advice on.
In our directory there are bunch of per-project subtrees:
I've been controlling write access to the subtrees like this:
access to dn.regex="ou=([^,]+),ou=projects,..."
by group.expand="cn=administrators,ou=$1,ou=projects,..." write
by * read
where cn=administrators is a groupOfNames. This works well.
Now I've been asked to implement the following additional behaviour:
If a cn=readers groupOfNames entry is present, allow read-only access to
those DNs, allow write access to DNs in cn=administrators, and disallow
access to everyone else. But if there is NO cn=readers entry, allow read
access to anyone.
The first part is a simple extension of what I've already got. But how
can I implement the different behaviour with no cn=readers entry?
I'm using OpenLDAP 2.2 with the bdb backend. I'm happy to upgrade to
2.3 if necessary.
Thanks in advance.
** Dave Holland ** Systems Support -- Special Projects Team **
** 01223 496923 ** Sanger Institute, Hinxton, Cambridge, UK **