[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: access control question

Dave Holland <dh3@sanger.ac.uk> writes:

> [Apologies if this arrives twice; I sent it yesterday but I didn't get a
> copy back from the list, nor is there a copy at www.mail-archive.com.]
> I have a slightly unusual access control requirement which I'd
> appreciate some advice on.
> In our directory there are bunch of per-project subtrees:
>   ou=project1,ou=projects,... 
>   ou=project2,ou=projects,... 
> I've been controlling write access to the subtrees like this:
> access to dn.regex="ou=([^,]+),ou=projects,..."
>   by group.expand="cn=administrators,ou=$1,ou=projects,..." write
>   by * read
> where cn=administrators is a groupOfNames. This works well.
> Now I've been asked to implement the following additional behaviour:
> If a cn=readers groupOfNames entry is present, allow read-only access to
> those DNs, allow write access to DNs in cn=administrators, and disallow
> access to everyone else. But if there is NO cn=readers entry, allow read
> access to anyone.
> The first part is a simple extension of what I've already got. But how
> can I implement the different behaviour with no cn=readers entry?
> I'm using OpenLDAP 2.2 with the bdb backend. I'm happy to upgrade to
> 2.3 if necessary.

You don't have to update. I think 'sets' will ideally meet your tasks.


Dieter Klünter | Systemberatung