[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL for multiple groups
At 11:19 PM 1/26/01 +0800, eg_ymc@stu.ust.hk wrote:
>Dear all,
>
>I have to develop a directory for multiple groups. Each group has different access control rights. If a user is a member of several groups, which access control right should he have? Does he have the greatest right among all group (say, the write right is greater than the read)?
In OpenLDAP 2.0, you can use the experimental ACL additive permissions
and clause controls. See http://www.openldap.org/faq/index.cgi?file=447
and tests/data/slapd-acl.conf for an example. See the 1.2 faq for
examples on group ACLs.
In 1.2 (and 2.0 without the above), you need to order group
checks so that the first matched clause is what you want.
That is, check for ou=senior manager before ou=sales before
individual rights.
>For example, John is a member of sales group and a member of senior manager group (see the table).
>__________________________________________
>John DN: uid = john, ou = staff, dc=abc, dc=com
>He has right to compare customer information
>__________________________________________
>Sales DN: ou=sales, dc=abc, dc=com
>member: uid = john, ou = staff, dc=abc, dc=com
>This group has right to read customer information
>__________________________________________
>Sales DN: ou=senior manager, dc=abc, dc=com
>member: uid = john, ou = staff, dc=abc, dc=com
>This group has right to write customer information
>__________________________________________
>
>When John logins , what is the access right of John?