[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
"Access to" directives for RDBMs-LDAP model mapping
Hi folks,
We are working on a LDAP module for hipergate.org. FYI
hipergate is a
CRM suite with Contacts information, managed by
security service based
upon a RDBMS model. Each "user" belongs to a
"workarea" (or workgroup),
which contains "contact" information. A "contact"
could be public to
all members of the "workarea" or private for a certain
user.
We want to use LDAP as an easy way to access our
information from Outlook/Mozilla/Evolution, but we
have problems with the security restrictions using the
"access to" directives at slapd.conf.
I'm trying to figure up how to map this security model
in a LDAP structure. No modifications can be done at
LDAP, as database is exported in a batch
process. This is an example of the proposed directory
structure:
-----------------------------------------------------------------------
dc=org
`-- dc=hipergate
`-- dc=workareas
`-- dc=d41d8cd98f00b204e9800998ecf8427e
(workarea GUID)
|-- dc=contacts
| `-- dc=John Public
| @-- givenName: John
| @-- sn: Public
| @-- mail: john.public@acme.com
`-- dc=users
`-- dc=joe.user@hipergate.org
@-- objectClass: person,
inetOrgPerson
@-- mail: joe.user@hipergate.org
@-- userPassword: xxxxxxxxx
`-- dc=contacts
`-- cn=Jane Private
@-- givenName: Jane
@-- sn: Private
@-- mail:
jane.private@acme.com
-----------------------------------------------------------------------
"John Public" will be visible by any authenticated
user belonging to
the corresponding "workarea" and "Jane Private" will
be only visible to
"joe.user@hipergate.org". Is there an easy way to
implement security
restrictions only with "access to" directives at
slapd.conf?
* Anonymous users can authenticate agains "users"
entries
* Authenticated users can see its own "contacts"
(subtree)
* Authenticated users can see "contacts" inside their
parent "workarea"
I'm also wondering how a user can bind to the
directory using only its
"cn" and "userPassword", without having to enter all
the "dn" info, so
Bind DN could be just "joe.user@hipergate.org".
Thanks!
Ivan Montoro
The hipergate working group
__________________________________________
Correo Yahoo! - 6MB de espacio ¡Gratis!
http://correo.yahoo.es