[Date Prev][Date Next] [Chronological] [Thread] [Top]

access control

hello all,

i am working on my first installation of openldap, so please bear with me.
i assure you in advance i have been digging through the manual and only
resort to the mailing list after exhausting ability to understand how to write
the access portion of slapd.conf by reading the administration guide.  in
particular, if some of the language i use in the email is a bit hazy, im trying
my best.

anyway here is the background; i have designed the tree structure as follows
beneath the rootdn there are organizationalUnit objects and beneath those there are
organizationalPerson objects.
im trying to write the access control with the following *general* goal.  the goal is
authenticated users can only have read access to organizationalPerson
objects beneath the organizationalUnit containing the organizationalPerson object
the user authenticated against.
the authenticated users should not be able to view any organizationalUnits except the
one containing the organizationalPerson object they authenticated against.

so now i will come to the problem.
there is no way (that ive found in the administration guide) to
access the entry a user authenticated against when writing the access control rules.
therefore in order to support the above general goal i must hardcode the value of the
ou attribute into an access rule for every organizationalUnit in the tree.
obviously this is an maintenance nightmare as i would need to support modification of
the slapd.conf file if i wanted to create an interface where administrators could add /
remove organizationalUnits or modify the value of their ou attribute.

please tell me there is a way to analyze the values of attributes in the entry an authenticated
user authenticated against, or that there is some other way to tackle the problem.
i am happy to send the relevant portions of slapd.conf.