[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: access control

--On December 5, 2007 1:41:49 PM -0500 Nathan Nobbe <quickshiftin@gmail.com> wrote:

i have not read any material on ideal directory layout.  can you refer me
to good
resource?  the design i have created is based only on intuition.  that,
and the schema
reference available in phpLdapAdmin.  truth be told, ive found the
documentation in
the openldap administration guide only marginally helpful.  at least i
havent seen much
in there about ldap itself; the guide seems to presume preexisting
knowledge of ldap;
of which mine is scant :)

Well, there's not hard rule. The general principal is, as flat as possible, as deep as necessary. The problem of course is compounded that bad design decisions at the beginning can haunt you for years. ;)

if i were to have a tree for organizationalUnit objects and another for
objects, what would the ideal root objectClass of those trees?

The root objectClass of a tree really does not have to pertain to the objects contained in that tree. I tend to make my branch roots fairly benign, like:

dn: cn=people,dc=myorg,dc=com objectclass: organizationalRole description: people cn: people

In answer to your question, however, you may find that using sets helps
with some of what you want to do.

what are sets in the context of ldap?

That's an excellent question. Some day they'll be documented, hopefully. :) But here are some examples:

access to dn.children="cn=people,dc=myorg,dc=com"
   by set.exact="this/uid & user/uid" read

If THIS ENTRY and the BINDING USER have the same value for UID, allow READ

access to dn.children="cn=nis,dc=myorg,dc=com"
   by set.exact="this/host & user" read

if THIS ENTRY's host attribute matches the USER, allow READ



Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
Zimbra ::  the leader in open source messaging and collaboration