[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Access Control by Organizational Unit?
Heather Lockridge writes:
> I would like to implement an ldap scheme so that each
> department which is an organizational unit has a
> person who can control the entries for their
> department and no others.
>
> By this I mean that that person will have the right to
> add/delete/modify entries in their own ou only.
This is untested, but: You can give the manager entries below each OU
the same RDN, e.g. cn=Directory Manager, and use an access controls
like:
access to dn.regex="[^,]*,(ou=.*)" attr=userPassword
by self ssf=128 write
by dn.regex="cn=Directory Manager,$1" ssf=128 write
by * ssf=128 auth
access to dn.regex="[^,]*,(ou=.*)"
by dn.regex="cn=Directory Manager,$1" write
by * read
access to dn.regex="(ou=.*)" attr=children
by dn.regex="cn=Directory Manager,$1" write
by * read
The "[^,]*," says that the directive applies to entries directly below
the ou. It will not work if the OU contains entries with "," in their
RDN. Or if you want to give the manager access to subtrees below the
OU, and you do not have OUs below OUs, use 'dn.regex=.*,(ou=.*)'. If
that does not fit your organizational structure, I can probably come up
with a more complicated regex if you tell me what it should match.
The $1 matches the first "()" in the "to" phrase, i.e. DN of the OU.
What the first directive should look like depends on who should
be able to access userPassword in which manner. The important
point is to ensure that unauthorized users will not see userPassword.
If the manager does not need to be able to update it (after creating
the entry), you can delete the parts about dn.regex for userPassword.
The Directory Manager entry could be something like
dn: cn=Directory Manager,ou=foobar,dc=urgle,dc=com
cn: Directory Manager
objectClass: organizationalRole
objectClass: simpleSecurityObject
userPassword: {CRYPT}some-crypt
# other attributes which you might add for informational purposes
roleOccupant: uid=whoops,ou=foobar,dc=urgle,dc=com
telephoneNumber: +1 234 5678
description: Manager of the LDAP directory for this department
Another way would be to register in each entry an OpenLDAPaci attribute
which gives access to the manager of the OU, and ACIs for the OUs that
the manager can update the children. But if someone else becomes
directory manager for an OU, you must then change all the ACIs for that
OU - unless you use a special name like Directory Manager for the
manager. Also you need an 'access ... by aci' directive in slapd.conf,
and to configure with '--enable-aci'.
> Does anyone have any examples of how to do this while
> allowing the overall ldap-admin acces to all? Or a
> pointer to some (any) examples?
The DN in a database definition's a 'rootdn' has full access to the
database regardless of access controls. The rootdn entry need not
actually exist in the database, though it must be a DN below the
database's suffix.
--
Hallvard