Hi list members,
I use a openldap server for the user
management of an proprietary client/server application.
Users are modified person class objects.
Groups are groupOfName objects.
Rights are also groupOfNames.
Users are members of groups and groups are
members of rights.
To exemplify my problem:
User: cn=example,ou=users,dc=mydomain
Group: cn=supervisors,ou=groups,dc=mydomain
Right: cn=someRight,ou=rights,dc=mydomain
For instance someRight should give all
members of supervisors the right to modify other users.
At the moment the ACL is related to the
group.
Access to dn.sub=”ou=users,dc=mydomain”
By
group.exact=”cn=supervisor,ou=groups,dc=mydomain” write
By
self read
To use the rights I’d need an ACL
with a group of group.
Access to dn.sub=”ou=users,dc=mydomain”
By
group.exact=”cn=someRight,ou=rights,dc=mydomain” write
Should allow all members of all groups that
are member of someRight to modify users.
Is this possible or is groupOfNames the
wrong class to represent group rights?
Thanks in advance!
Jan