[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Schema Design :: ACL on Groups by Group Members only

On Thu, Mar 17, 2011 at 09:20:59PM +0100, Dieter Kluenter wrote:

> > I want "n" number of groups (or similar structure which keeps member
> > information) to be created and only group members have access to those
> > groups. Members are defined in separate user branch so my DIT look
> > like
> > 
> > dc=example,dc=com
> > +--ou=people,dc=example,dc=com
> > +----uid=bjanson,ou=users,dc=example,dc=com
> > +----uid=matt,ou=users,dc=example,dc=com
> > +--cn=group1,dc=example,dc=com (groupOfNames)
> > +----cn=subgroup1,dc=example,dc=com (groupOfNames)

I assume that last DN should be cn=subgroup1,cn=group1,dc=example,dc=com

> > now users bjanson and matt are member of group1, only bjanson is
> > member of subgroup1. I would like to have ACL defined so only members
> > can access their group. I don't need any ACL on subgroup as long as
> > only all members of parent group can access it.

Be careful here: LDAP is not like a filesystem. Protecting
one node does not automatically protect the nodes beneath it.

> > Is it possible to do that in generic form because basic ACL syntax
> > needs dn/filter in "access to " clause. In my example if I have n
> > groups I will end up having n access control syntax in slapd.conf,
> > which doesn't sound a good idea.

You can use regex matching to write one rule that controls
many groups. With a bit of thought you can probably handle
the subgroups in the same rule (use the regex capture syntax
to derive the DN of the master group so that you can use it
in the 'by whom' part of the rule).

> > Also, I don't need to use groups as such but groupOfNames/ groupOd
> > UniqueNames are the only classes which support member attribute.
> > Please let me know if there is any other objectClass I should use.

I would avoid the uniqueNames type. You may want to define
your own objectclass making 'member' an optional attribute
so that you can have empty groups.

> You may use the almost undocumented access control by sets
> http://www.openldap.org/faq/data/cache/1133.html
> http://www.openldap.org/faq/data/cache/1134.html
> This documents provide some examples.

Sets are very powerful, but may not be needed for this job.

|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |