[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Access Control (ACL vs. ACI)
First, a little background: I want to demo an LDAP-based communications
directory for a charitable organization that has over 80 different
departments, branches, and location, all of which are semi-autonomous, and
are expected to keep track of personal changes on their own. Imagine
something like this:
Department A: UK
Department B: USA
Department C: France
Department A should be able to edit only the personal that belong to it, and
not those who belong in B or C. The easy (albeit ungraceful and problematic)
way would be to create a tree where the personal are children of the
departments, and then just assign ACLs that way. However, since there is some
movement between departments, any time someone moved from, say, A to B, their
entry under A would have to be deleted and recreated under B.
So then I thought I could use ACI. I could have two trees, say People (a
flat list), and Departments. Every person would have an attribute (say o=A)
and any department that had a matching attribute would be able to edit that
entry. So the first question is, is this a good idea? If so, what exactly
would the ACI look like? I'm guessing something like:
OpenLDAPaci: 1#entry#grant;r,w,s,c;[all]#?#o=A,ou=Departments,dn=acme
I've looked at http://www.openldap.org/faq/data/cache/634.html, but I'm not
exactly sure what type to use, hence the question mark. Other suggestions
welcomed. I'm using OpenLDAP 2.2.23 on Debian Sarge.
:Peter