On Mon, Feb 02, 2009 at 05:59:40PM -0200, Leandro Repolho wrote:
Hello, i don't know if is it possible to do it but i would like to create a User inside an OU of my OpenLDAP server and when this user connects to a ldap manager like phpLdapAdmin he needs to see all objects inside his OU and manage them. Is it possible to do it?
Yes. This sort of thing can be done very efficiently using regular expressions.
Suppose you have an organisation with DN dc=example,dc=org and OUs under it, then a directive like this will give write access to the user with the name 'cn=admin,ou=people,ou=XXX,dc=example,dc=org':
# Allow admin to write all entries inside their own department # access to dn.regex="(ou=[^,]+,dc=example,dc=org)$" by dn.subtree,expand="cn=admin,dc=people,$1" write by * break
The regex recognises entries under any OU, and saves the DN of the OU in $1. This is then substituted into the 'by' clause to give access to the right admin.
I will be presenting a paper on ACL design at the UKUUG Spring Conference in London, and this is very close to one of the examples. http://www.skills-1st.co.uk/papers/ldap-acls-jan-2009/
Andrew