Re: access control question

["Dieter Kluenter" <dieter@dkluenter.de>]

Dave Holland <dh3@sanger.ac.uk> writes:

> [Apologies if this arrives twice; I sent it yesterday but I didn't get a
> copy back from the list, nor is there a copy at www.mail-archive.com.]
>
> I have a slightly unusual access control requirement which I'd
> appreciate some advice on.
>
> In our directory there are bunch of per-project subtrees:
>   ou=project1,ou=projects,... 
>   ou=project2,ou=projects,... 
>
> I've been controlling write access to the subtrees like this:
>
> access to dn.regex="ou=([^,]+),ou=projects,..."
>   by group.expand="cn=administrators,ou=$1,ou=projects,..." write
>   by * read
>
> where cn=administrators is a groupOfNames. This works well.
>
> Now I've been asked to implement the following additional behaviour:
>
> If a cn=readers groupOfNames entry is present, allow read-only access to
> those DNs, allow write access to DNs in cn=administrators, and disallow
> access to everyone else. But if there is NO cn=readers entry, allow read
> access to anyone.
>
> The first part is a simple extension of what I've already got. But how
> can I implement the different behaviour with no cn=readers entry?
>
> I'm using OpenLDAP 2.2 with the bdb backend. I'm happy to upgrade to
> 2.3 if necessary.

You don't have to update. I think 'sets' will ideally meet your tasks.
http://www.openldap.org/faq/data/cache/1133.html

-Dieter

-- 
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6