[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Adding ACLs dinamically ...
At 10:30 AM 10/4/00 -0700, Ernesto Burtre wrote:
>Is there any possibility to dinamically define ACLs ?
Yes, 2.0 has experimental support for in directory ACIs...
they are not documented yet... so you're on your own if
want to use them.
>I mean:
>
>- I have an LDAP directory with this structure:
>
>dn: o=mycompany, c=uy
>o: mycompany
>objectclass: organization
>
>dn: ou=ClientCompany1, o=mycompany, c=uy
>ou: ClientCompany1
>objectclass:organizationalUnit
>
>dn: uid=CCompany1Manager, ou=ClientCompany1, o=mycompany, c=Uruguay
>uid: CCompany1Manager
>userpassword: xxxx
>objectclass: person
>cn: Nestor
>sn: Onetto
>mail: nestoro@adinet.com.uy
>
>- I want to grant user CCompany1Manager in order he
>can add, delete or modify entries only in:
>ou=ClientCompany1, o=mycompany, c=uruguay
>Then, I have to write the appropiate ACL in slapd.conf.
>
>Ok, what's the question then ? Here we go:
>
>What if I have an aplicattion that can create a new ClientCompany (let's say ClientCompany2)
>with a new manager (let's say CCompany2Manger) ?
>I'll be needing a new ACL in order to make resticcions
>to this new user. So, How can I add this new ACL at the moment I am creating the
>Organizational Unit and the Manager user for ClientCompany 2 ?
If you design your DIT well, you can use the ACLs built in regular
expression capability to provide such capability. In particular,
it's fairly easy to define an ACL which supports a set of
organizational units with subordinate manager or administrative
groups. See the archives for examples.
>I think that:
>- appending the new ACL to the slapd.conf,
>- stopping ldapserver and starting again for "slapd"
> to read the new configuration
>
>is not an acceptable solution. That's why I asked:
I agree... but you don't necessarily need in directory
ACLs to support dynamic management structures.