[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
User management
Hello,
I am developing an application that should permit to users
to interact with a subtree of the DIT.
For example, given the node
ou=Managers,ou=Administration,l=Italy,o=XYZ
there is a user called
admin
that can do everything but under that node.
That user can add others users too, to manage zones under
his zone:
for example, the user admin could add the zone
ou=SuperManagers,ou=Managers,ou=Administration,l=Italy,o=XYZ
and define a user smadmin to manage that zone.
After that, admin should be able to see everything under
the zone ou=Managers,ou=Administration,l=Italy,o=XYZ,
INCLUDING the zone ou=SuperManagers,... and smadmin only
the latter.
This operations should not imply to restart the server with
new acl definitions.
Which is the best/preferred way to do that ?
I was thinking about adding an attribute to every user that
contains the zone for which he is enabled. For example, the
user admin should be defined in this way:
dn: cn=admin,ou=applicationUsers,o=XYZ
cn: admin
enabledCtx: ou=Managers,ou=Administration,l=Italy,o=XYZ
and to define an acl that reads enabledCtx.
Are there other ways to do it ?
Thanks for every suggestion,
L.