[Date Prev][Date Next] [Chronological] [Thread] [Top]

access rights in ldap-tree



Hello,
We are at the decide stage of choosing solution for ldap implementation.
OpenLDAP looks good for us, however there's one issue I'd like to be
sure of, before taking final decision.
                                                                                                                             
How do I, or whether can I, put some access controls (rules) to ldap
into ldap itself? It doesn't matter for me whether ldap server, which
provide access right will be the same to which access rights apply, or
different one (other instance). The purpose of keeping ldap rights
in LDAP is as follows: we are going to create some web admin interface
(being strict in php, doesn't matter) which should be able to e.g. add
users to ldap. However this users added by some-kind hiperadmin should
be able to "administrate" (write to) some ldap subtrees assigned to them.
LDAP access right can be set in slapd.conf, however main target is to
avoid editing of any system config file (and probably service restart).
                                                                                                                             
My investigations resulted with some clues regarding to SASL and
regexp-based access controls. So it looks like I can set up
access right like
                                                                                                                             
        "by (dn=some_regexp_match_dn) accesslevel"
                                                                                                                             
so if user belongs e.g. to his-domain-admins subtree he can edit
his-domain-users and his-domain-settings (his-domain-aliases,
his-domain-dnsentries).
Question is do I understand this SASL-issues properly? Anyway
in this way I cannot explicitly set in LDAP type of access level
for this users. I'd like to add some users with its permissions into
ldap tree and mantain access rights via ldap-client (no matter web or
gq-like). Another point with method mentioned above is, that when
adding new domain I still have to add such access control into slapd.conf
file, which is not wanted.

I also found some clues regarding that SunOne has such feature, however
it is not sure for me, and anyway OpenLdap is preferred as opensource
solution..

I do not expect recipes, but rather if someone could tell mi is it
possible or not, and whether I go in right direction with sasl.

Best regards from Poland, hope anyone can light me up with this :)
Thanks,
Piotr