Hello,
I'm designing a directory structure for our radio amateur union, and I
have a problem with somewhat complex ACL (for me). Before I ask my
question, I want to mention that this structure is not in production so
it can always change. I may have designed the structure wrong, and
there would be a better way to represent it. However, I believe that
this is the correct way of representing our amateur radio union's
organization.
As a radio amateur union, we have different branches across different
cities. These branches have their own members, and own managers,
Additionally, there is a unit which is the manager of the whole union.
Their members are listed in "cn=general-managers,<base dn>".
All of the user information is stored under "ou=people,<base dn>" and
'memberOf' overlay is enabled.
The structure is below:
==== BEGIN: directory structure ====
- <base dn>
- cn=general-managers (groupOfNames)
- ou=branch
- ou=foo-city
- cn=managers (groupOfNames)
- cn=members (groupOfNames)
- ou= bar-city
- cn=managers (groupOfNames)
- cn=members (groupOfNames)
...
...
- ou=people
cn=ta1aet (inetOrgPerson)
memberOf: cn=managers,ou=foo-city,ou-branch,<base-dn>
memberOf: cn=members,ou=foo-city,ou-branch,<base-dn>
cn=CALLSIGN1
memberOf: cn=members,ou=foo-city,ou-branch,<base-dn>
cn=CALLSIGN2
memberOf: cn=members,ou=bar-city,ou-branch,<base-dn>
cn= CALLSIGNn
...
...
==== END: directory structure ====
So far, I have achieved to write an ACL for "ou=people". The users have
write permission to some of the attributes such as "givenName, sn, mail,
address" but they don't have permission to edit "title" (which should be
edited by his manager in his branch)
What I am aiming is listed below.
1- People in cn=managers,ou=XXXX,ou=branch should be able to add new
user/member under "ou=people,<base dn>". (Of course, setting member
attribute their branch "cn=members,ou=XXXX,ou=branch")
2- These managers (cn=managers,ou=XXX,ou=branch) should only be able to
edit attributes of members registered to them. So, only people that
are member of "cn=members,ou=XXX,ou=branch" should be edited by
"cn=managers,ou=XXX,ou=branch".
3- Any user should be able to edit some (e.g not 'title') of his
attributes (I've done it but I'm not sure if it can be done in a more
elegant way. Config is attached at the end).
4- General managers should be able to edit the tree and children of
"ou=branch,<base dn>" as well as "ou=people,<base dn>". This looks a
bit easier compared to 1 and 2.
I have searched through all regular expressions tutorials but none of
them includes such a membership example. "access to" syntax has "filter"
option. Since 'access to' requires <what> clause first, I thought of
using regular expression to filter the people accordingly to their
'memberOf' attributes, somehow (-don't know how :) -) match their
branches that they belong to, and give access to corresponding manager
group. However, 'filter' does not seem to accept regular expressions and
it requires a direct attribute.
I cannot further proceed right now, and I will really appreciate a hand
on this issue.
My best regards and 73s!
Eren
==== BEGIN: current olcAccess ====
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonym
ous auth by dn="cn=admin,dc=trac,dc=org,dc=tr" write by * none
olcAccess: {1}to dn.base="dc=trac,dc=org,dc=tr" by dn="cn=admin,dc=trac,dc=o
rg,dc=tr" write by * read by anonymous none
olcAccess: {2}to dn.base="ou=people,dc=trac,dc=org,dc=tr" attrs="entry,objec
tClass" by dn.one="ou=people,dc=trac,dc=org,dc=tr" read by anonymous none
olcAccess: {3}to dn.one="ou=people,dc=trac,dc=org,dc=tr" attrs="givenName,sn
,mail" by self write by dn.one="ou=people,dc=trac,dc=org,dc=tr" read
olcAccess: {4}to dn.one="ou=people,dc=trac,dc=org,dc=tr" attrs="entry,object
Class,cn,givenName,sn,title,mail" by dn.one="ou=people,dc=trac,dc=org,dc=tr
" read by anonymous none
==== END: current olcAccess ====
--
. 73! DE TA1AET
http://linkedin.com/in/erenturkay
Attachment:
pgpjEBDdFfY8K.pgp
Description: PGP signature