I need your advice on a LDAP structure and associated ACL.
Our LDAP will manage 10 (number may vary) organizations which contains users (total of 250 users) I want 1 user by organization to be allowed to manage all the users of his own organization. Users will also be attached to custom groups.
What is the best LDAP structure for that ?
My first idea is the following : Groups :
dn: cn=Manager,ou=Roles,ou=Groups
objectClass: posixGroup
objectClass: top
cn: Manager
gidNumber: 10100
memberUid: user1
memberUid: user3
dn: cn=Structure1,ou=Structures,ou=Groups
objectClass: posixGroup
cn: Structure1
gidNumber: 10000
description: Structure1
memberUid: user1
memberUid: user2
dn: cn=Structure2,ou=Structures,ou=Groups
objectClass: posixGroup
cn: Structure2
gidNumber: 10001
description: Structure2
memberUid: user3
memberUid: user4
user1 should be allowed to edit user user2 but not user3 or user4 user3 should be allowed to edit user1 but not user2
I actually get stuck on ACL because I don't success to user the groups of an entry using ACL set method. I would like doing something like this :
{1}to dn.children="ou=Users" by set="[cn=]+this/groups+[,ou=Structures,ou=Groups]/memberUid & user/uid" write by * read
I am able to use groupOfNames if better than posixGroup
I've already read :
-
I'm not convinced this even makes sense. It would allow any user who is a member of an organization to manage all other members of the organization, and vice versa.user207421– user2074212014年04月23日 10:21:14 +00:00Commented Apr 23, 2014 at 10:21
-
Yes, the acl given should do this but it does not even work. Of course what is want is the users of Manager group can manage their own groupsfabien-michel– fabien-michel2014年04月23日 14:20:27 +00:00Commented Apr 23, 2014 at 14:20
1 Answer 1
My contribution is one option to solve this situation. I know it's been a while, but i hope this helps to someone out there. - Change to groupofnames or organizationalrole (the last one support empty groups) both require a dn as member. - Enable memberof overlay, to enable the memberof operational attribute on the user (this will add the list of groups where the user is a member of, to an attribute in the user entry) olcMemberOfGroupOC: organizationalRole olcMemberOfMemberAD: roleOccupant olcMemberOfMemberOfAD: groups ("groups" is the operational attribute added to the user)
- Once both actions where performed and you're sure the users has values on the groups operational attribute, according to the original question, here are 2 scenarios:
- 1st scenario - user1 is allowed to write user3,ou=users as they belongs to cn=Manager,ou=Roles,ou=Groups
- 2nd scenario - user1 is allowed to write user2,ou=users as they belongs to cn=Structure1,ou=Structures,ou=Groups
by set="this/groups & user/groups" write
This acl allows write whenever both users (the modified and the modifier) have the same group, the the acl will set write privileges.
user=user1,ou=users
"user/groups" get the values of the modifier groups attribute. cn=Manager,ou=Roles,ou=Groups - cn=Structure1,ou=Structures,ou=Groups.
this=user3,ou=users
"this/groups" get the values of the modified object groups attribute. cn=Manager,ou=Roles,ou=Groups and cn=Structure2,ou=Structures,ou=Groups
this=user2,ou=users
"this/groups" get the values of the modified object groups attribute. cn=Manager,ou=Roles,ou=Groups and cn=Structure1,ou=Structures,ou=Groups
I hope this solves the question and be useful to anyone struggling with openldap acl's as i did some days ago.
Best regards!!