[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Groups within groups for ACLs
I have a question about ACLs and allowing granulated access to our
OpenLDAP
tree. I am not sure how flexible the ACL structure within OpenLDAP is and
could
not find any examples of others using a similar system for permissioning
their tree.
This is what we would like to achieve using OpenLDAP:
At the very top we have our security officer(s) who should delegate
access to sub groups or people that are responsible for their area.
Below that we have groups of people that can make changes and grant
access to specific resources.
I would like to permit these changes by adding and removing users from
groups.
So for example:
Security officer group contains a user(s):
cn=security-officer,ou=groups,ou=auth,dc=foo,dc=org
The security officer can the only create and delete groups matching:
cn=control-.*,ou=groups,ou=auth,dc=foo,dc=org
members of the security officer group should also be able to add and
delete members of this group.
example control groups are:
cn=control-unix,ou=groups,ou=auth,dc=foo,dc=org
cn=control-mainframe,ou=groups,ou=auth,dc=foo,dc=org
cn=control-network,ou=groups,ou=auth,dc=foo,dc=org
In a similar way members of control-* should then be able to only
modify the contents of:
access-.*,ou=groups,ou=auth,dc=foo,dc=org container.
example access groups are:
cn=access-network-proxy01,ou=groups,ou=auth,dc=foo,dc=org
cn=access-network-switch01,ou=groups,ou=auth,dc=foo,dc=org
cn=access-network-router01,ou=groups,ou=auth,dc=foo,dc=org
cn=access-unix-server01,ou=groups,ou=auth,dc=foo,dc=org
cn=access-unix-server02,ou=groups,ou=auth,dc=foo,dc=org
so for example members of cn=control-unix can *ONLY* change groups that
match access-unix-hostname01. Likewise a member of the
cn=control-network will only be able to make changes to
cn=access-network-switch34
Is there a simpler way to think about this? Here are the ACL's that I
have come up with to support this:
# the security manager(s) are members of the following group:
# cn=securitymanager,ou=groups,ou=auth,dc=foo,dc=org
# we give them access to change groups containing the match for
# cn=control-.*,ou=groups,ou=auth,dc=foo,dc=org
access to dn="cn=control-.*,ou=groups,ou=auth,dc=foo,dc=org" attrs=member
by group="cn=securitymanager,ou=groups,ou=auth,dc=foo,dc=org" read
by group="cn=securitymanager,ou=groups,ou=auth,dc=foo,dc=org"
write
# the control managers are members of the groups:
# cn=control-*,ou=groups,ou=auth,dc=foo,dc=org
# They have permission to to add and remove users from the access-*
# groups
# ie groups matching cn=access-*,ou=groups,ou=auth,dc=foo,dc=org
access to dn="cn=access-.*,ou=groups,ou=auth,dc=foo,dc=org"
attrs=member
by group="cn=control-$1-.*,ou=groups,ou=auth,dc=foo,dc=org" read
by group="cn=control-$1-.*,ou=groups,ou=auth,dc=foo,dc=org" write
Should I be using this $MATCH syntax for this or will this be putting
unnecessary
load on the OpenLDAP server?