Hi list members,

I use a  openldap server for the user management of an  proprietary client/server application.

 

Users are modified person class objects.

Groups are groupOfName objects.

Rights are also groupOfNames.

 

Users are members of groups and groups are members of rights.

 

To exemplify my problem:

User: cn=example,ou=users,dc=mydomain

Group: cn=supervisors,ou=groups,dc=mydomain

Right: cn=someRight,ou=rights,dc=mydomain

 

For instance someRight should give all members of supervisors the right to modify other users.

At the moment the ACL is related to the group.

 

Access to dn.sub=”ou=users,dc=mydomain”

                By group.exact=”cn=supervisor,ou=groups,dc=mydomain” write

                By self read

 

To use the rights I’d need an ACL with a  group of group.

 

Access to dn.sub=”ou=users,dc=mydomain”

                By group.exact=”cn=someRight,ou=rights,dc=mydomain” write

 

Should allow all members of all groups that are member of someRight to modify users.

 

Is this possible or is groupOfNames the wrong class to represent group rights?

 

Thanks in advance!

 

Jan