[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access Control by Organizational Unit?



ons, 19.05.2004 kl. 13.43 skrev Heather Lockridge:

> I would like to implement an ldap scheme so that each
> department which is an organizational unit has a
> person who can control the entries for their
> department and no others.  
> 
> By this I mean that that person will have the right to
> add/delete/modify entries in their own ou only.

Well, here is an example on this test rig where a group is allowed write
access to "ordinary" users in the ou people. It could just as well be a
person. One has to give access both to the base of the dn tree and to
its children, therefore the two ACLs.

access to dn=ou=people,ou=groups,dc=billy,dc=demon,dc=nl
  by dn=cn=admin,dc=billy,dc=demon,dc=nl write
  by group=cn=peoplemanagers,ou=groups,dc=billy,dc=demon,dc=nl write
  by * read
 
access to dn=ou=people,ou=groups,dc=billy,dc=demon,dc=nl
  attrs=children
  by dn=cn=admin,dc=billy,dc=demon,dc=nl write
  by group=cn=peoplemanagers,ou=groups,dc=billy,dc=demon,dc=nl write
  by * read

> This is on a Fedora Core 1 system.

Oh dear, RedHat's stock OL 2.0.27 again. I'm a RH person but kill RHEL3,
Fedora - whatever OL and put my own - latest empirically stable - on the
distro. I don't know whether 2.0.27 knows the concept of base and
children.

--Tonni

-- 

We make out of the quarrel with others rhetoric
but out of the quarrel with ourselves, poetry.

mail: tonni@billy.demon.nl
http://www.billy.demon.nl