[Date Prev][Date Next] [Chronological] [Thread] [Top]

Groups within groups for ACLs



I have a question about ACLs and allowing granulated access to our 
OpenLDAP
tree.  I am not sure how flexible the ACL structure within OpenLDAP is and 
could 
not find any examples of others using a similar system for permissioning 
their tree.

This is what we would like to achieve using OpenLDAP:
At the very top we have our security officer(s) who should delegate
access to sub groups or people that are responsible for their area.
Below that we have groups of people that can make changes and grant
access to specific resources.

I would like to permit these changes by adding and removing users from
groups.

So for example:

Security officer group contains a user(s):

        cn=security-officer,ou=groups,ou=auth,dc=foo,dc=org

The security officer can the only create and delete groups matching:
        cn=control-.*,ou=groups,ou=auth,dc=foo,dc=org
members of the security officer group should also be able to add and
delete members of this group.

example control groups are:

        cn=control-unix,ou=groups,ou=auth,dc=foo,dc=org
        cn=control-mainframe,ou=groups,ou=auth,dc=foo,dc=org
        cn=control-network,ou=groups,ou=auth,dc=foo,dc=org

In a similar way members of control-* should then be able to only
modify the contents of:

        access-.*,ou=groups,ou=auth,dc=foo,dc=org container.

example access groups are:

        cn=access-network-proxy01,ou=groups,ou=auth,dc=foo,dc=org
        cn=access-network-switch01,ou=groups,ou=auth,dc=foo,dc=org
        cn=access-network-router01,ou=groups,ou=auth,dc=foo,dc=org
        cn=access-unix-server01,ou=groups,ou=auth,dc=foo,dc=org
        cn=access-unix-server02,ou=groups,ou=auth,dc=foo,dc=org
so for example members of cn=control-unix can *ONLY* change groups that
match access-unix-hostname01.  Likewise a member of the
cn=control-network will only be able to make changes to
cn=access-network-switch34

Is there a simpler way to think about this?   Here are the ACL's that I
have come up with to support this:

# the security manager(s) are members of the following group:
# cn=securitymanager,ou=groups,ou=auth,dc=foo,dc=org
# we give them access to change groups containing the match for
# cn=control-.*,ou=groups,ou=auth,dc=foo,dc=org
access to dn="cn=control-.*,ou=groups,ou=auth,dc=foo,dc=org" attrs=member
        by group="cn=securitymanager,ou=groups,ou=auth,dc=foo,dc=org" read
        by group="cn=securitymanager,ou=groups,ou=auth,dc=foo,dc=org" 
write

# the control managers are members of the groups:
# cn=control-*,ou=groups,ou=auth,dc=foo,dc=org
# They have permission to to add and remove users from the access-*
# groups
# ie groups matching cn=access-*,ou=groups,ou=auth,dc=foo,dc=org
        access to dn="cn=access-.*,ou=groups,ou=auth,dc=foo,dc=org" 
attrs=member
        by group="cn=control-$1-.*,ou=groups,ou=auth,dc=foo,dc=org" read
        by group="cn=control-$1-.*,ou=groups,ou=auth,dc=foo,dc=org" write

Should I be using this $MATCH syntax for this or will this be putting 
unnecessary
load on the OpenLDAP server?