[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Assigning user access to parts of tree



Hi Marco, and thanks again!

Hmm, it seems that I may have stated the original problem in a methid
which could cause confusion.  Here's the real scenario:

- I have my top-level domain, say "dn:dc=abcd,dc=com"

- Within this I create an ou called virtualDomain thus:

	"dn:ou=virtualDomain,dc=abcd,dc=com"

- Within this I create a number of virtual domains, e.g.

	"dn:domainName=virtual1.com,ou=virtualDomain,dc=abcd,dc=com"
	"dn:domainName=virtual2.net,ou=virtualDomain,dc=abcd,dc=com"
	...

Now I'd need each of these to be administered by a different person;
the scenario is that of a web/mail hosting company which is hosting
multiple domains, one each per client.  The client should have
complete access to read/write each domain's information.  The client's 
authentication/authorisation information and password must also be
stored in the LDAP database itself, so that s/he has the option of
changing it at will.

To further complicate matters, within each virtualDomain there will be 
multiple virtualEmailUser's , each of whom will /also/ need their own
authentication in order to be able to change their POP password,
auto-reply file, etc.  Naturally, the domain owner must have "super-user"
permissions on this whole domain subtree (including the email users'
trees).

Perhaps I'm just slow in catching on, but is this possible with either 
of the schemes which you're suggesting?

Regards,

-- Raju

>>>>> "Marco" == Marco Ferrante <ferrante@unige.it> writes:

    >> Hi Marco,
    Marco> Hi,
    >> Thanks for the quick and detailed reply.  However if I
    >> understand you rightly, these access permissions go into the
    >> slapd.conf.  Is there any way of mainatining these permissions
    >> within the LDAP database itself?

    Marco> 	by this methods you have to set slapd.conf only one
    Marco> time, then you can control access editing entries directly.
    Marco> With method using "groupsOfNames", every time you add a
    Marco> entry called "cn=RWusers, ..." under a subtree and put a DN
    Marco> in a "member" attribute value of this entry, this DN can
    Marco> read and write every object under the subtree.  Ex:

    Marco> SLAPD.CONF:

    Marco> 	access to dn="(.*),ou=(.*),dc=abcd,dc=com" by self
    Marco> write by group="cn=RWusers,$2,dc=abcd,dc=com" write by
    Marco> group="cn=ROusers,$2,dc=abcd,dc=com" read


    Marco> LDIF:

    Marco> 	dn: cn=RWusers,ou=virtualDomain,dc=abcd,dc=com cn:
    Marco> RWusers ou: ou=virtualDomain member:
    Marco> cn=userA,ou=adomain,,dc=abcd,dc=com member:
    Marco> cn=userC,ou=anotherdomain,,dc=abcd,dc=com ... other stuff
    Marco> ...

    Marco> every user that bind with a DN listed in "member", can
    Marco> write in ou=virtualDomain,dc=abcd,dc=com subtree.  You can
    Marco> add and remove values from the entry without touch
    Marco> SLAPD.CONF.

    Marco> 	With second method ACL also depend on entries, in a
    Marco> more performant but less flexible way.
	
    Marco> Bye
    Marco> --------------------------------------------------------
    Marco> Marco Ferrante (ferrante@unige.it) CSITA (Centro Servizi
    Marco> Informatici e Telematici d'Ateneo) Università degli Studi
    Marco> di Genova - Italy Viale Brigata Salerno - 16147 Genova tel
    Marco> (+39) 0103532621 (interno tel. 2621)
    Marco> --------------------------------------------------------