Re: Adding ACLs dinamically ...

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 10:30 AM 10/4/00 -0700, Ernesto Burtre wrote:
>Is there any possibility to dinamically define ACLs ? 

Yes, 2.0 has experimental support for in directory ACIs...
they are not documented yet... so you're on your own if
want to use them.


>I mean:  
> 
>- I have an LDAP directory with this structure: 
> 
>dn: o=mycompany, c=uy 
>o: mycompany 
>objectclass: organization 
> 
>dn: ou=ClientCompany1, o=mycompany, c=uy 
>ou: ClientCompany1 
>objectclass:organizationalUnit 
> 
>dn: uid=CCompany1Manager, ou=ClientCompany1, o=mycompany, c=Uruguay 
>uid: CCompany1Manager 
>userpassword: xxxx 
>objectclass: person 
>cn: Nestor 
>sn: Onetto 
>mail: nestoro@adinet.com.uy 
> 
>- I want to grant user CCompany1Manager in order he 
>can add, delete or modify entries only in: 
>ou=ClientCompany1, o=mycompany, c=uruguay 
>Then, I have to write the appropiate ACL in slapd.conf. 
> 
>Ok, what's the question then ? Here we go: 
> 
>What if I have an aplicattion that can create a new ClientCompany (let's say ClientCompany2) 
>with a new manager (let's say CCompany2Manger) ? 

>I'll be needing a new ACL in order to make resticcions 
>to this new user. So, How can I add this new ACL at the moment I am creating the 
>Organizational Unit and the Manager user for ClientCompany 2 ? 

If you design your DIT well, you can use the ACLs built in regular
expression capability to provide such capability.  In particular,
it's fairly easy to define an ACL which supports a set of
organizational units with subordinate manager or administrative
groups.  See the archives for examples.

>I think that: 
>- appending the new ACL to the slapd.conf, 
>- stopping ldapserver and starting again for "slapd" 
>  to read the new configuration 
> 
>is not an acceptable solution. That's why I asked: 

I agree... but you don't necessarily need in directory
ACLs to support dynamic management structures.