[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ldap
Subject:    [ldap] Access-list problem
From:       "Paul Dekkers" <bb+lists.ldap () vet ! fnt ! hvu ! nl>
Date:       2002-10-28 13:07:17
[Download RAW message or body]

Hi,

I'm thinking of an access-list design where I can specify some admins in
an Organisational Unit where those admins can modify the users in the
Organisational Unit. 
An ACL like this is close to what I need:

access to dn="ou=Customer,ou=Accounts,o=Organisation"
       by group="cn=Admins,o=Organisation" write
       by group="cn=Admins,ou=Customer,ou=Accounts,o=Organisation" write
       by anonymous auth
       by * none

I don't want however specify this ACL for every Customer we have. So the
ou=CustomerX would better be some kind of variable, which is the same as
the ou=CustomerX of the admin's group. If I specify

access to dn="ou=.*,ou=Accounts,o=Organisation"
       by group="cn=Admins,o=Organisation" write
       by group="cn=Admins,ou=.*,ou=Accounts,o=Organisation" write
       by anonymous auth
       by * none

this of course is not the solution, since every Admin of every Customer
can edit all user-data of other Customers :-(
Is this possible with ACL's? Is there maybe some more advanced regex
possible?

Thank you in advance,
Paul


---
You are currently subscribed to ldap@umich.edu as: [ldap@progressive-comp.com]
To unsubscribe send email to ldap-request@umich.edu with the word UNSUBSCRIBE as the \
SUBJECT of the message.


[prev in list] [next in list] [prev in thread] [next in thread]