[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Considering OpenLDAP - Functionality Questions.
>I work at a University in the US Mountain West. We're looking to implement a
>Directory tree to handle user account management for computer labs and
>workstations. Once we're rolled out we'll want to allow different
>organizations to manage certain aspects of their organization,
>represented as organizational units in the tree. Consequently, most
>accounts would have read access to portions of all the information
>(home directory, UIDs, default shell, etc). Organizational Admins would
>also have full read access of their scope of the tree, as well as
>modify privileges in certain circumstances. We would also want to
>maintain central administration of the entire tree. I'm familiar with
>some other directory products such as eDirectory and Active Directory,
>but not OpenLDAP specifically. I'd appreciate it if any of you could
>take a moment or two to answer some "pre-sales" type questions. (I
>wasn't able to find the answers on my own).
>Example of our directory structure
> dc=University,dc=edu
> |
> ou-Org Unit 1
> | |
> | cn-Admin Org 1
> | cn-user1a
> | cn-user1b
> |
> ou-Org Unit 2
> |
> cn-Admin Org 2
> cn-user2a
> cn-user2b
> (and so on)
>Does OpenLDAP have the ability (possibly via ACL's or a similar mechanism)
>to allow certain accounts in the DIT root access to portions of the
>tree? For instance, the Admin of Org 1 has read/modify access to Org
>Unit 1, but not Org Unit 2, and vice versa for the Admin of Org 2.
Absolutely, yes. You can use a variety of psuedo-attributes and regular
expressions to accomplish almost any model of access control.
>Alternately, is it possible to set up, via slurpd, a replica of the tree
>so that the Main server would have a copy of the entire tree, but the
>entire Org Unit 1 structure would also live on a separate server,
Differentiated replication, yes.
>allowing total access to the root of that particular server? (Obviously
>Modify's would need to take place at the master server, but this would
>at least allow full read only access to the Organizational admin).
I cover both ACLs and differentiated replication for OpenLDAP in my LDAP
presentation. ftp://kalamazoolinux.org/pub/pdf/ldapv3.pdf