hi, I plan the new ACL layout for our Wheezy LDAP server. Our layout: Main suffix: dc=example,dc=com than the first department: ou=department1,dc=example,dc=com ou=people,ou=department1,dc=example,dc=com uid=foobar,ou=people,ou=department1,dc=example,dc=com [...] ou=groups,ou=department1,dc=example,dc=com gid=students,ou=groups,ou=department1,dc=example,dc=com [...] ou=roles,ou=department1,dc=example,dc=com cn=mail,ou=roles,ou=department1,dc=example,dc=com cn=admins,ou=roles,ou=department1,dc=example,dc=com ou=services,ou=department1,dc=example,dc=com ou=mail,ou=services,ou=department1,dc=example,dc=com cn=aliases,ou=mail,ou=services,ou=department1,dc=example,dc=com [...] next department2, the same: ou=department2,dc=example,dc=com ou=people,ou=department2,dc=example,dc=com uid=foobar,ou=people,ou=department2,dc=example,dc=com [...] [...] .... complete the same one, as department1 Now I stuck on the ACLs. I want to make use of RegEx, so that every department has its own roles, groups and admins and access only to there (for example) services. What I already have: {0}to attrs=userPassword,shadowLastChange,sambaLMPassword,sambaNTpassword by self =xw by anonymous auth by * none {1}to dn.regex="uid=(.+),ou=people,ou=(.+),dc=example,dc=com$" attrs="myFB,myStudiengang,gender,myMatrikel,myTudUserUniqueID" by self read by * none {2}to dn.regex="uid=(.+),ou=people,ou=(.+),dc=example,dc=com$" attrs="mail,myMailalias,myMailDomain,myNoMail" by self read by dn.regex="cn=mail,ou=roles,ou=$2,dc=example,dc=com$" read by * none {3}to dn.regex="^(.+,)?ou=mail,ou=services,ou=(.+)?,dc=example,dc=com$" by dn.regex="cn=mail,ou=roles,ou=$2,dc=example,dc=com$" read {4}to dn.regex="^(.+,)?ou=services,ou=(.+,)?dc=example,dc=com$" by * none {5}to * by dn.base="cn=Admin,dc=example,dc=com" write by * read {6}to dn.base="dc=example,dc=com" by self write by dn.base="cn=Admin,dc=example,dc=com" write by * read I'm able to read the subtree: "ou=mail,ou=services,ou=department1,dc=example,dc=com" only with the authenticated user "cn=mail,ou=roles,ou=department1,dc=example,dc=com" and "ou=mail,ou=services,ou=department2,dc=example,dc=com" with authenticated user "cn=mail,ou=roles,ou=department2,dc=example,dc=com" and I can't search with user from ou=department2 the service tree from ou=department1 :-) But, why I can't see the "ou=services,ou=department2,dc=example,dc=com" ? Just for me to know, where I have a problem ... for the services (Postfix in most cases) it isn't important, that they can't see the "ou=services" Also I want to make sure, that every department "admin group" (cn=admins,ou=roles,ou=<department>,dc=example,dc=com -> groupOfUniqueNames) can do everything under there (and only) three ou=<department>,ou=example,ou=com so, any tipps are welcome :-) cu denny pages I have already open: http://www.openldap.org/doc/admin24/access-control.html http://wiki.mandriva.com/fr/uploads/3/3a/Mandriva-dit-access-template.conf http://www.openldap.org/devel/admin/slapdconf2.html
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail