[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL assistance needed ...



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Okay,

I am finally being forced to implement decent security on our ldap 
server.  I looked through the FAQ on www.openldap.org and found references 
for basic ldap ACL.  However, at least one of them didn't work without 
tweaking it a little, and I am wondering if some ACL guru's out there could 
help me figure out how to do the following.

We have been creating all our groups and individuals with an element called 
'owner'.  Our intention with this element is to enable the members of any 
groups listed as owners of an object to completely administrate/change 
aspects of the subject objects.  For example, if I have:

cn=Building Monitor,o=George Fox University,c=US
cn=Building Monitor
owner=cn=Building Monitor Administrators,o=George Fox University,c=US
member=cn=User One,o=George Fox University,c=US
member=cn=User Two, o=George Fox University, c=US
objectclass=top
objectclass=groupOfNames

cn=Building Monitor Administrators,o=George Fox University,c=US
cn=Building Monitor Administrators
owner=cn=Administrators,o=George Fox University,c=US
member=cn=Andy Administrator,o=George Fox University,c=US
objectclass=top
objectclass=groupOfNames

I would like members of group 'cn=Administrators,o=George Fox 
University,c=US' (not shown above) to be able to administrate 
(add/delete/modify members of) group 'cn=Building Monitor 
Administrators,o=George Fox University,c=US', and I would THEN like members 
of 'cn=Building Monitor Administrators,o=George Fox University,c=US' to be 
able to administrate the group 'cn=Building Monitor,o=George Fox 
University,c=US'.

As a work around, I have temporarily implemented each 'administration' 
group with the name of the owned group + ' Administrators' in the DN of the 
object.  Unfortunately, this will only allow one group to administrate one 
other group.  How do I build the ACL to do this?

And before I forget, the ACL in the FAQ I had to tweak to get functioning 
looked like:

access to dn="cn=[^,]+,o=[^,]+,c=[^,]+" attrs=member by group="cn=$1 
Administrators,o=$2,c=$3" write

but had to be changed to:

access to dn="cn=([^,]+),o=([^,]+),c=([^,]+)" attrs=member by group="cn=$1 
Administrators,o=$2,c=$3" write

This was on my Sun Sparc with Solaris 2.7 and OpenLDAP 1.2.11.

Tony
******************************************************************************
* Anthony Brock                                         abrock@georgefox.edu *
* Director of Network Services                         George Fox University *
******************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.1 Int. for non-commercial use <http://www.pgpinternational.com>

iQA/AwUBOUjpwRuaxl/7L1qlEQK2vwCdHBt1IuW82sHxHomtgUEuPKkE8eQAn3BP
ZWIB7tmyckojq3WpLHlOFPxQ
=VLKR
-----END PGP SIGNATURE-----