[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Access Control by Organizational Unit?
ons, 19.05.2004 kl. 13.43 skrev Heather Lockridge:
> I would like to implement an ldap scheme so that each
> department which is an organizational unit has a
> person who can control the entries for their
> department and no others.
>
> By this I mean that that person will have the right to
> add/delete/modify entries in their own ou only.
Well, here is an example on this test rig where a group is allowed write
access to "ordinary" users in the ou people. It could just as well be a
person. One has to give access both to the base of the dn tree and to
its children, therefore the two ACLs.
access to dn=ou=people,ou=groups,dc=billy,dc=demon,dc=nl
by dn=cn=admin,dc=billy,dc=demon,dc=nl write
by group=cn=peoplemanagers,ou=groups,dc=billy,dc=demon,dc=nl write
by * read
access to dn=ou=people,ou=groups,dc=billy,dc=demon,dc=nl
attrs=children
by dn=cn=admin,dc=billy,dc=demon,dc=nl write
by group=cn=peoplemanagers,ou=groups,dc=billy,dc=demon,dc=nl write
by * read
> This is on a Fedora Core 1 system.
Oh dear, RedHat's stock OL 2.0.27 again. I'm a RH person but kill RHEL3,
Fedora - whatever OL and put my own - latest empirically stable - on the
distro. I don't know whether 2.0.27 knows the concept of base and
children.
--Tonni
--
We make out of the quarrel with others rhetoric
but out of the quarrel with ourselves, poetry.
mail: tonni@billy.demon.nl
http://www.billy.demon.nl