Re: User to administrate a OU

[Andrew Findlay <andrew.findlay@skills-1st.co.uk>]

On Mon, Feb 02, 2009 at 05:59:40PM -0200, Leandro Repolho wrote:

> Hello, i don't know if is it possible to do it but i would like to create a
> User inside an OU of my OpenLDAP server and when this user connects to a
> ldap manager like phpLdapAdmin he needs to see all objects inside his OU and
> manage them. Is it possible to do it?

Yes. This sort of thing can be done very efficiently using regular
expressions.

Suppose you have an organisation with DN dc=example,dc=org and OUs
under it, then a directive like this will give write access to
the user with the name 'cn=admin,ou=people,ou=XXX,dc=example,dc=org':

# Allow admin to write all entries inside their own department
#
access to dn.regex="(ou=[^,]+,dc=example,dc=org)$"
        by dn.subtree,expand="cn=admin,dc=people,$1" write
        by * break

The regex recognises entries under any OU, and saves the DN of
the OU in $1. This is then substituted into the 'by' clause to
give access to the right admin.

I will be presenting a paper on ACL design at the UKUUG Spring
Conference in London, and this is very close to one of the examples.
http://www.skills-1st.co.uk/papers/ldap-acls-jan-2009/

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------