[Date Prev][Date Next] [Chronological] [Thread] [Top]

Tree, ACL and auth...



Hello!

I'd like to create administrator groups under each OU, so this
administrator will be allowed to manage everything in this OU. 
by default, I'm creating simpleSecurityObject with cn=admin in each
administrators group, so OU administrator can login as OU, or if there
are more administrators, they can use admin_name@OU as username.
This works nice if I have OU on one level. I have no idea, how to do it,
if I will have more complicated structure, i.e.:

root
 +-ou=department1
 |  +-ou=administrators
 |     +-cn=admin
 |     +-cn=admin2
 |
 +-ou=department2
    +-ou=administrators
    |  +-admin
    |
    +-ou=subdepartment1
    |  +-ou=administrators
    |     +-admin
    +-ou=subdepartment2
    |  +-ou=administrators
    |     +-admin
    ...

I can assume that all departments will have unique names. I'd like that
each admin will be able login as department (=>admin@department) or as
user@department.

Is there any way, to ensure that each ou (with specific
objectClass=departement) will have unique name ?
Is it possible to construct bind dn, with only department (ou) name ?
I'd like to avoid using loginname as: admin2@subdepartment2.departmnt2
if I'm sure that supdepartment2 name is unique.
I've tried to do it in two steps: search DN of subdepartment-N as
anonymous, than add "cn=admin,ou=administrators" as prefix and then
login as right user with password. It works, but it requires read access
to all tree for anonymous which may not be acceptable.
I've tried to limit annonymous access to only dc and ou attributes, but
with such ACL I see only first level of ou.

Thanks in advance!
-- 
Jarek <jarek@poczta.srv.pl>