[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL: Permissions with Groups and 'memberOf' Using Regex


I'm designing a directory structure for our radio amateur union, and I
have a problem with somewhat complex ACL (for me). Before I ask my
question, I want to mention that this structure is not in production so
it can always change. I may have designed the structure wrong, and
there would be a better way to represent it. However, I believe that
this is the correct way of representing our amateur radio union's

As a radio amateur union, we have different branches across different
cities. These branches have their own members, and own managers,
Additionally, there is a unit which is the manager of the whole union.
Their members are listed in "cn=general-managers,<base dn>".

All of the user information is stored under "ou=people,<base dn>" and
'memberOf' overlay is enabled.

The structure is below:

==== BEGIN: directory structure ====

- <base dn>
    - cn=general-managers (groupOfNames)

    - ou=branch
        - ou=foo-city
            - cn=managers (groupOfNames)
            - cn=members  (groupOfNames)

        - ou= bar-city
            - cn=managers (groupOfNames)
            - cn=members (groupOfNames)

     - ou=people
        cn=ta1aet (inetOrgPerson)
            memberOf: cn=managers,ou=foo-city,ou-branch,<base-dn>
            memberOf: cn=members,ou=foo-city,ou-branch,<base-dn>

            memberOf: cn=members,ou=foo-city,ou-branch,<base-dn>

            memberOf: cn=members,ou=bar-city,ou-branch,<base-dn>
        cn= CALLSIGNn

==== END: directory structure ====

So far, I have achieved to write an ACL for "ou=people". The users have
write permission to some of the attributes such as "givenName, sn, mail,
address" but they don't have permission to edit "title" (which should be
edited by his manager in his branch)

What I am aiming is listed below. 

1- People in cn=managers,ou=XXXX,ou=branch should be able to add new
   user/member under "ou=people,<base dn>". (Of course, setting member
   attribute their branch "cn=members,ou=XXXX,ou=branch")

2- These managers (cn=managers,ou=XXX,ou=branch) should only be able to
   edit attributes of members registered to them. So, only people that
   are member of "cn=members,ou=XXX,ou=branch" should be edited by
3- Any user should be able to edit some (e.g not 'title') of his
   attributes (I've done it but I'm not sure if it can be done in a more
   elegant way. Config is attached at the end).

4- General managers should be able to edit the tree and children of
   "ou=branch,<base dn>" as well as "ou=people,<base dn>". This looks a
   bit easier compared to 1 and 2.

I have searched through all regular expressions tutorials but none of
them includes such a membership example. "access to" syntax has "filter"
option. Since 'access to' requires <what> clause first, I thought of
using regular expression to filter the people accordingly to their
'memberOf' attributes, somehow (-don't know how :) -) match their
branches that they belong to, and give access to corresponding manager
group. However, 'filter' does not seem to accept regular expressions and
it requires a direct attribute.

I cannot further proceed right now, and I will really appreciate a hand
on this issue.

My best regards and 73s!

==== BEGIN: current olcAccess ====

olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonym
 ous auth by dn="cn=admin,dc=trac,dc=org,dc=tr" write by * none

olcAccess: {1}to dn.base="dc=trac,dc=org,dc=tr" by dn="cn=admin,dc=trac,dc=o
 rg,dc=tr" write by * read by anonymous none

olcAccess: {2}to dn.base="ou=people,dc=trac,dc=org,dc=tr" attrs="entry,objec
 tClass" by dn.one="ou=people,dc=trac,dc=org,dc=tr" read by anonymous none

olcAccess: {3}to dn.one="ou=people,dc=trac,dc=org,dc=tr" attrs="givenName,sn
 ,mail" by self write by dn.one="ou=people,dc=trac,dc=org,dc=tr" read

olcAccess: {4}to dn.one="ou=people,dc=trac,dc=org,dc=tr" attrs="entry,object
 Class,cn,givenName,sn,title,mail" by dn.one="ou=people,dc=trac,dc=org,dc=tr
 " read by anonymous none

==== END: current olcAccess ====

    . 73! DE TA1AET

Attachment: pgpjEBDdFfY8K.pgp
Description: PGP signature