[Date Prev][Date Next] [Chronological] [Thread] [Top]

Help with ACLs

Hello and apologies if I'm posting this in the wrong location.

I'm trying to apply some security to my openldap repository and I'm
struggling with how or even if I can express a particular constraint.

I have an ou containing inetOrgPerson's and the person's "o" attribute
is the string value of the organisation "o" to which the user belongs,
e.g. "Some Company Ltd".

e.g. dn=uid=12345679,ou=people,dc=thecompany,dc=co,dc=nz attr o=Some Company Ltd

The organisation "Some Company Ltd" can have subsidiary organisations,
specified by the "owner" attribute of the subsidiary having the "dn"
of owner organisation.

e.g. dn: o=Subsidiary Company
Ltd,ou=organisations,dc=thecompany,dc=co,dc=nz having attr
owner:o=Some Company Ltd,ou=organisations,dc=thecompany,dc=co,dc=nz

What I would like to do is restrict the user to having read access
only to those subsidiary organisations based on the value of the
user's "o" attribute. Is this a reasonable approach or should I be
expressing this differently in my schema?

I hope I've expressed that reasonably clearly. Any help would be much