[Date Prev][Date Next] [Chronological] [Thread] [Top]

Controlling access based on group membership


I have a problem of long and complex ACLs which I need to improve. Therefore, I am thinking of a way to change privilege (access) management.

I have dc=example,dc=com, with branches ou=people, ou=aliases (for email use), ou=dns (dns entries), ou=Groups.

In ou=Groups entries are of the form:
dn: cn=TechAdmins,ou=Groups,dc=example,dc=com
objectClass: groupOfNames
cn: TechAdmins
member: uid=jack,ou=people,dc=example,dc=com
member: uid=jeff,ou=people,dc=example,dc=com

I would like to be able to control access to any and all entries based on attributes (to be added to the entries) which specify a group to be used for administration.

So, for example, I could add to all entries an AUXiliary objectClass (hypothetical at the moment) "AdminGroupOwnership" with (multi-valued) attributes: AdminGroups and ReadGroups, SearchGroups with values of the form: cn=<groupname>,ou=Groups,dc=example,dc=com. Members of the first would have write access, members of the second would have read access, and members of the third would have search access only.

I would like to ask the list:
1. Can someone demonstrate how we should formulate an ACL which would accomplish the above? The ACL should say:
access to <some entries> <some attribute>
by {a DN which belongs to a Group specified in the AdminGroups attr of the entry} write by {a DN which belongs to a Group specified in the ReadGroups attr of the entry} read by {a DN which belongs to a Group specified in the SearchGroups attr of the entry} search

2. Is there an existing (included in the distribution or available from a third-party) schema or similar mechanism available (so that I don't re-invent the wheel)?

Thanks in advance,