[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Assigning user access to parts of tree
Hi Marco, and thanks again!
Hmm, it seems that I may have stated the original problem in a methid
which could cause confusion. Here's the real scenario:
- I have my top-level domain, say "dn:dc=abcd,dc=com"
- Within this I create an ou called virtualDomain thus:
"dn:ou=virtualDomain,dc=abcd,dc=com"
- Within this I create a number of virtual domains, e.g.
"dn:domainName=virtual1.com,ou=virtualDomain,dc=abcd,dc=com"
"dn:domainName=virtual2.net,ou=virtualDomain,dc=abcd,dc=com"
...
Now I'd need each of these to be administered by a different person;
the scenario is that of a web/mail hosting company which is hosting
multiple domains, one each per client. The client should have
complete access to read/write each domain's information. The client's
authentication/authorisation information and password must also be
stored in the LDAP database itself, so that s/he has the option of
changing it at will.
To further complicate matters, within each virtualDomain there will be
multiple virtualEmailUser's , each of whom will /also/ need their own
authentication in order to be able to change their POP password,
auto-reply file, etc. Naturally, the domain owner must have "super-user"
permissions on this whole domain subtree (including the email users'
trees).
Perhaps I'm just slow in catching on, but is this possible with either
of the schemes which you're suggesting?
Regards,
-- Raju
>>>>> "Marco" == Marco Ferrante <ferrante@unige.it> writes:
>> Hi Marco,
Marco> Hi,
>> Thanks for the quick and detailed reply. However if I
>> understand you rightly, these access permissions go into the
>> slapd.conf. Is there any way of mainatining these permissions
>> within the LDAP database itself?
Marco> by this methods you have to set slapd.conf only one
Marco> time, then you can control access editing entries directly.
Marco> With method using "groupsOfNames", every time you add a
Marco> entry called "cn=RWusers, ..." under a subtree and put a DN
Marco> in a "member" attribute value of this entry, this DN can
Marco> read and write every object under the subtree. Ex:
Marco> SLAPD.CONF:
Marco> access to dn="(.*),ou=(.*),dc=abcd,dc=com" by self
Marco> write by group="cn=RWusers,$2,dc=abcd,dc=com" write by
Marco> group="cn=ROusers,$2,dc=abcd,dc=com" read
Marco> LDIF:
Marco> dn: cn=RWusers,ou=virtualDomain,dc=abcd,dc=com cn:
Marco> RWusers ou: ou=virtualDomain member:
Marco> cn=userA,ou=adomain,,dc=abcd,dc=com member:
Marco> cn=userC,ou=anotherdomain,,dc=abcd,dc=com ... other stuff
Marco> ...
Marco> every user that bind with a DN listed in "member", can
Marco> write in ou=virtualDomain,dc=abcd,dc=com subtree. You can
Marco> add and remove values from the entry without touch
Marco> SLAPD.CONF.
Marco> With second method ACL also depend on entries, in a
Marco> more performant but less flexible way.
Marco> Bye
Marco> --------------------------------------------------------
Marco> Marco Ferrante (ferrante@unige.it) CSITA (Centro Servizi
Marco> Informatici e Telematici d'Ateneo) Università degli Studi
Marco> di Genova - Italy Viale Brigata Salerno - 16147 Genova tel
Marco> (+39) 0103532621 (interno tel. 2621)
Marco> --------------------------------------------------------