[Date Prev][Date Next]
Re: access control question
Dave Holland <firstname.lastname@example.org> writes:
> [Apologies if this arrives twice; I sent it yesterday but I didn't get a
> copy back from the list, nor is there a copy at www.mail-archive.com.]
> I have a slightly unusual access control requirement which I'd
> appreciate some advice on.
> In our directory there are bunch of per-project subtrees:
> I've been controlling write access to the subtrees like this:
> access to dn.regex="ou=([^,]+),ou=projects,..."
> by group.expand="cn=administrators,ou=$1,ou=projects,..." write
> by * read
> where cn=administrators is a groupOfNames. This works well.
> Now I've been asked to implement the following additional behaviour:
> If a cn=readers groupOfNames entry is present, allow read-only access to
> those DNs, allow write access to DNs in cn=administrators, and disallow
> access to everyone else. But if there is NO cn=readers entry, allow read
> access to anyone.
> The first part is a simple extension of what I've already got. But how
> can I implement the different behaviour with no cn=readers entry?
> I'm using OpenLDAP 2.2 with the bdb backend. I'm happy to upgrade to
> 2.3 if necessary.
You don't have to update. I think 'sets' will ideally meet your tasks.
Dieter Klünter | Systemberatung
GPG Key ID:8EF7B6C6