[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Re: Access Control by Organizational Unit?
You were kind enough to suggest a set of ACLs for an
organizational structure which I am trying to put
together using openldap, in mid May.
Since then I have gotten the latest version of the
openldap sw and the bdb software working. The acl
structure which you suggested works fine which was:
quoting your email:
access to dn.regex="[^,]*,(ou=.*)" attr=userPassword
by self ssf=128
write
by dn.regex="cn=Directory Manager,$1" ssf=128
write
by * ssf=128
auth
access to dn.regex="[^,]*,(ou=.*)"
by dn.regex="cn=Directory Manager,$1" write
by * read
access to dn.regex="(ou=.*)" attr=children
by dn.regex="cn=Directory Manager,$1" write
by * read
The "[^,]*," says that the directive applies to
entries directly below
the ou. It will not work if the OU contains entries
with "," in their
RDN. Or if you want to give the manager access to
subtrees below the
OU, and you do not have OUs below OUs, use
'dn.regex=.*,(ou=.*)'. If
that does not fit your organizational structure, I can
probably come up
with a more complicated regex if you tell me what it
should match.
end quoting your email.
All the above works fine, but I realize that now I
need the Directory Manager to be able to create OU's
below the OU of which he is the Directory Manager and
then also to create and change people's cn entries in
that OU.
I can't figure out how to make that set of acl
statements.
The structure looks like this:
domain.com
ou-one
Directory Manager for ou-one
Person in ou-one
ou one-A Sub ou of ou-one
Person in ou one-A
ou-two
Directory Manager for ou-two
Person in ou two
ou two-A Sub ou of ou-two
Person in ou-two-A
ou two-B sub ou of ou-two
Person in ou-two-B
Thanks!
__________________________________
Do you Yahoo!?
Friends. Fun. Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/