[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ACL assistance needed ...
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Okay,
I am finally being forced to implement decent security on our ldap
server. I looked through the FAQ on www.openldap.org and found references
for basic ldap ACL. However, at least one of them didn't work without
tweaking it a little, and I am wondering if some ACL guru's out there could
help me figure out how to do the following.
We have been creating all our groups and individuals with an element called
'owner'. Our intention with this element is to enable the members of any
groups listed as owners of an object to completely administrate/change
aspects of the subject objects. For example, if I have:
cn=Building Monitor,o=George Fox University,c=US
cn=Building Monitor
owner=cn=Building Monitor Administrators,o=George Fox University,c=US
member=cn=User One,o=George Fox University,c=US
member=cn=User Two, o=George Fox University, c=US
objectclass=top
objectclass=groupOfNames
cn=Building Monitor Administrators,o=George Fox University,c=US
cn=Building Monitor Administrators
owner=cn=Administrators,o=George Fox University,c=US
member=cn=Andy Administrator,o=George Fox University,c=US
objectclass=top
objectclass=groupOfNames
I would like members of group 'cn=Administrators,o=George Fox
University,c=US' (not shown above) to be able to administrate
(add/delete/modify members of) group 'cn=Building Monitor
Administrators,o=George Fox University,c=US', and I would THEN like members
of 'cn=Building Monitor Administrators,o=George Fox University,c=US' to be
able to administrate the group 'cn=Building Monitor,o=George Fox
University,c=US'.
As a work around, I have temporarily implemented each 'administration'
group with the name of the owned group + ' Administrators' in the DN of the
object. Unfortunately, this will only allow one group to administrate one
other group. How do I build the ACL to do this?
And before I forget, the ACL in the FAQ I had to tweak to get functioning
looked like:
access to dn="cn=[^,]+,o=[^,]+,c=[^,]+" attrs=member by group="cn=$1
Administrators,o=$2,c=$3" write
but had to be changed to:
access to dn="cn=([^,]+),o=([^,]+),c=([^,]+)" attrs=member by group="cn=$1
Administrators,o=$2,c=$3" write
This was on my Sun Sparc with Solaris 2.7 and OpenLDAP 1.2.11.
Tony
******************************************************************************
* Anthony Brock abrock@georgefox.edu *
* Director of Network Services George Fox University *
******************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.1 Int. for non-commercial use <http://www.pgpinternational.com>
iQA/AwUBOUjpwRuaxl/7L1qlEQK2vwCdHBt1IuW82sHxHomtgUEuPKkE8eQAn3BP
ZWIB7tmyckojq3WpLHlOFPxQ
=VLKR
-----END PGP SIGNATURE-----