[Date Prev][Date Next] [Chronological] [Thread] [Top]

olcAccess: Regex questions for "departments" and there admins



hi,

I plan the new ACL layout for our Wheezy LDAP server. 

Our layout:

Main suffix:  dc=example,dc=com

than the first department:

ou=department1,dc=example,dc=com
ou=people,ou=department1,dc=example,dc=com
uid=foobar,ou=people,ou=department1,dc=example,dc=com
[...]

ou=groups,ou=department1,dc=example,dc=com
gid=students,ou=groups,ou=department1,dc=example,dc=com
[...]

ou=roles,ou=department1,dc=example,dc=com
cn=mail,ou=roles,ou=department1,dc=example,dc=com
cn=admins,ou=roles,ou=department1,dc=example,dc=com

ou=services,ou=department1,dc=example,dc=com
ou=mail,ou=services,ou=department1,dc=example,dc=com
cn=aliases,ou=mail,ou=services,ou=department1,dc=example,dc=com
[...]

next department2, the same:

ou=department2,dc=example,dc=com
ou=people,ou=department2,dc=example,dc=com
uid=foobar,ou=people,ou=department2,dc=example,dc=com

[...]
[...]
....

complete the same one, as department1

Now I stuck on the ACLs. I want to make use of RegEx, so that every department has its own roles, groups and admins and access only to there (for example) services. 

What I already have:

{0}to attrs=userPassword,shadowLastChange,sambaLMPassword,sambaNTpassword
by self =xw
by anonymous auth
by * none

{1}to dn.regex="uid=(.+),ou=people,ou=(.+),dc=example,dc=com$" attrs="myFB,myStudiengang,gender,myMatrikel,myTudUserUniqueID"
by self read
by * none

{2}to dn.regex="uid=(.+),ou=people,ou=(.+),dc=example,dc=com$" attrs="mail,myMailalias,myMailDomain,myNoMail"
by self read
by dn.regex="cn=mail,ou=roles,ou=$2,dc=example,dc=com$" read
by * none

{3}to dn.regex="^(.+,)?ou=mail,ou=services,ou=(.+)?,dc=example,dc=com$"
by dn.regex="cn=mail,ou=roles,ou=$2,dc=example,dc=com$" read

{4}to dn.regex="^(.+,)?ou=services,ou=(.+,)?dc=example,dc=com$"
by * none

{5}to *
by dn.base="cn=Admin,dc=example,dc=com" write
by * read

{6}to dn.base="dc=example,dc=com"
by self write
by dn.base="cn=Admin,dc=example,dc=com" write
by * read


I'm able to read the subtree:

 "ou=mail,ou=services,ou=department1,dc=example,dc=com" 

only with the 

authenticated user "cn=mail,ou=roles,ou=department1,dc=example,dc=com" 

and 

 "ou=mail,ou=services,ou=department2,dc=example,dc=com" 

with 

authenticated user "cn=mail,ou=roles,ou=department2,dc=example,dc=com" 

and I can't search with user from ou=department2 the service tree from ou=department1 :-)

But, why I can't see the "ou=services,ou=department2,dc=example,dc=com" ? Just for me to know, where I have a problem ... for the services (Postfix in most cases) it isn't important, that they can't see the "ou=services" 

Also I want to make sure, that every department "admin group" (cn=admins,ou=roles,ou=<department>,dc=example,dc=com -> groupOfUniqueNames) can do everything under there (and only) three ou=<department>,ou=example,ou=com

so, any tipps are welcome :-)

cu denny

pages I have already open:

http://www.openldap.org/doc/admin24/access-control.html
http://wiki.mandriva.com/fr/uploads/3/3a/Mandriva-dit-access-template.conf
http://www.openldap.org/devel/admin/slapdconf2.html

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail