hi,
I plan the new ACL layout for our Wheezy LDAP server.
Our layout:
Main suffix: dc=example,dc=com
than the first department:
ou=department1,dc=example,dc=com
ou=people,ou=department1,dc=example,dc=com
uid=foobar,ou=people,ou=department1,dc=example,dc=com
[...]
ou=groups,ou=department1,dc=example,dc=com
gid=students,ou=groups,ou=department1,dc=example,dc=com
[...]
ou=roles,ou=department1,dc=example,dc=com
cn=mail,ou=roles,ou=department1,dc=example,dc=com
cn=admins,ou=roles,ou=department1,dc=example,dc=com
ou=services,ou=department1,dc=example,dc=com
ou=mail,ou=services,ou=department1,dc=example,dc=com
cn=aliases,ou=mail,ou=services,ou=department1,dc=example,dc=com
[...]
next department2, the same:
ou=department2,dc=example,dc=com
ou=people,ou=department2,dc=example,dc=com
uid=foobar,ou=people,ou=department2,dc=example,dc=com
[...]
[...]
....
complete the same one, as department1
Now I stuck on the ACLs. I want to make use of RegEx, so that every department has its own roles, groups and admins and access only to there (for example) services.
What I already have:
{0}to attrs=userPassword,shadowLastChange,sambaLMPassword,sambaNTpassword
by self =xw
by anonymous auth
by * none
{1}to dn.regex="uid=(.+),ou=people,ou=(.+),dc=example,dc=com$" attrs="myFB,myStudiengang,gender,myMatrikel,myTudUserUniqueID"
by self read
by * none
{2}to dn.regex="uid=(.+),ou=people,ou=(.+),dc=example,dc=com$" attrs="mail,myMailalias,myMailDomain,myNoMail"
by self read
by dn.regex="cn=mail,ou=roles,ou=$2,dc=example,dc=com$" read
by * none
{3}to dn.regex="^(.+,)?ou=mail,ou=services,ou=(.+)?,dc=example,dc=com$"
by dn.regex="cn=mail,ou=roles,ou=$2,dc=example,dc=com$" read
{4}to dn.regex="^(.+,)?ou=services,ou=(.+,)?dc=example,dc=com$"
by * none
{5}to *
by dn.base="cn=Admin,dc=example,dc=com" write
by * read
{6}to dn.base="dc=example,dc=com"
by self write
by dn.base="cn=Admin,dc=example,dc=com" write
by * read
I'm able to read the subtree:
"ou=mail,ou=services,ou=department1,dc=example,dc=com"
only with the
authenticated user "cn=mail,ou=roles,ou=department1,dc=example,dc=com"
and
"ou=mail,ou=services,ou=department2,dc=example,dc=com"
with
authenticated user "cn=mail,ou=roles,ou=department2,dc=example,dc=com"
and I can't search with user from ou=department2 the service tree from ou=department1 :-)
But, why I can't see the "ou=services,ou=department2,dc=example,dc=com" ? Just for me to know, where I have a problem ... for the services (Postfix in most cases) it isn't important, that they can't see the "ou=services"
Also I want to make sure, that every department "admin group" (cn=admins,ou=roles,ou=<department>,dc=example,dc=com -> groupOfUniqueNames) can do everything under there (and only) three ou=<department>,ou=example,ou=com
so, any tipps are welcome :-)
cu denny
pages I have already open:
http://www.openldap.org/doc/admin24/access-control.html
http://wiki.mandriva.com/fr/uploads/3/3a/Mandriva-dit-access-template.conf
http://www.openldap.org/devel/admin/slapdconf2.html
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail