[Date Prev][Date Next] [Chronological] [Thread] [Top]

access control question

To: openldap-software@OpenLDAP.org
Subject: access control question
From: Dave Holland <dh3@sanger.ac.uk>
Date: Thu, 7 Jul 2005 14:00:36 +0100
Content-disposition: inline
User-agent: Mutt/1.5.9i

[Apologies if this arrives twice; I sent it yesterday but I didn't get a
copy back from the list, nor is there a copy at www.mail-archive.com.]

I have a slightly unusual access control requirement which I'd
appreciate some advice on.

In our directory there are bunch of per-project subtrees:
  ou=project1,ou=projects,... 
  ou=project2,ou=projects,... 

I've been controlling write access to the subtrees like this:

access to dn.regex="ou=([^,]+),ou=projects,..."
  by group.expand="cn=administrators,ou=$1,ou=projects,..." write
  by * read

where cn=administrators is a groupOfNames. This works well.

Now I've been asked to implement the following additional behaviour:

If a cn=readers groupOfNames entry is present, allow read-only access to
those DNs, allow write access to DNs in cn=administrators, and disallow
access to everyone else. But if there is NO cn=readers entry, allow read
access to anyone.

The first part is a simple extension of what I've already got. But how
can I implement the different behaviour with no cn=readers entry?

I'm using OpenLDAP 2.2 with the bdb backend. I'm happy to upgrade to
2.3 if necessary.

Thanks in advance.

Dave
-- 
** Dave Holland ** Systems Support -- Special Projects Team **
** 01223 496923 ** Sanger Institute, Hinxton, Cambridge, UK **

Follow-Ups:
- Re: access control question
  - From: "Dieter Kluenter" <dieter@dkluenter.de>

Prev by Date: Send LDAPMessage
Next by Date: Re: openldap profiling tools
Index(es):
- Chronological
- Thread