[Date Prev][Date Next] [Chronological] [Thread] [Top]

access control question



[Apologies if this arrives twice; I sent it yesterday but I didn't get a
copy back from the list, nor is there a copy at www.mail-archive.com.]

I have a slightly unusual access control requirement which I'd
appreciate some advice on.

In our directory there are bunch of per-project subtrees:
  ou=project1,ou=projects,... 
  ou=project2,ou=projects,... 

I've been controlling write access to the subtrees like this:

access to dn.regex="ou=([^,]+),ou=projects,..."
  by group.expand="cn=administrators,ou=$1,ou=projects,..." write
  by * read

where cn=administrators is a groupOfNames. This works well.

Now I've been asked to implement the following additional behaviour:

If a cn=readers groupOfNames entry is present, allow read-only access to
those DNs, allow write access to DNs in cn=administrators, and disallow
access to everyone else. But if there is NO cn=readers entry, allow read
access to anyone.

The first part is a simple extension of what I've already got. But how
can I implement the different behaviour with no cn=readers entry?

I'm using OpenLDAP 2.2 with the bdb backend. I'm happy to upgrade to
2.3 if necessary.

Thanks in advance.

Dave
-- 
** Dave Holland ** Systems Support -- Special Projects Team **
** 01223 496923 ** Sanger Institute, Hinxton, Cambridge, UK **