Hi
I wanted to run a scenario past everyone to see if there is a better approach to the one I am thinking of implementing.
The OU structure we have is:
+- dc=example,dc=com +-- ou=accounts +--- ou=subsidiary1 +--- ou=subsidiary2 +--- ou=special +--- ou=staff +--- ou=the-rest
I have two groups defined - one group needs to be able to create new entries under the staff OU, and the other group needs to be able to create new entries under the OUs subsidiary1, subsidiary2 and the-rest. Nobody (except for LDAP admin) should be able to create entries under OU special.
More specifically, I want group members to be able to *add* new entries but modification and deletion of entries should only be done by the LDAP admin. I *may* want to allow group members to modify entries in the future but certainly just add for now.
A couple of notes about subsidiary1/subsidiary2:
* they aren't really called that :-) * more will get added over time, with corresponding changes in permissions required.
In other words, I can't use a regex to match against "subsidiary", but I want an ACL implementation that, if possible, can cope with future OUs being created without modifying the ACLs.
So, my thinking is:
1. Have an ACL that blocks write access to "special". 2. Have an ACL that grants write access to "staff" for members of the staff account managers group. 3. Have one ACL that grants write access to all other OUs for members of the non-staff account managers group.
If that makes sense ...
access to dn.exact="ou=special,ou=accounts,dc=example,dc=com" attrs=children by * none
access to dn.exact="ou=staff,ou=accounts,dc=example,dc=com" attrs=children by group="cn=account-mgrs-staff,ou=mailing,ou=groups,dc=example,dc=com" add by * none
access to dn.sub="ou=staff,ou=accounts,dc=example,dc=com" attrs=entry by group="cn=account-mgrs-staff,ou=mailing,ou=groups,dc=example,dc=com" add by * none
How do I do the rules for the other OUs? Can I have just two rules? One to allow access to the children attribute and one to allow access to the entry attribute? If so, it would need to be on the OUs *beneath* ou=accounts so that members of the group cannot create entries within ou=accounts.
So would this work?
access to dn.one="ou=accounts,dc=example,dc=com" attrs=children by group="cn=account-mgrs-non-staff,ou=mailing,ou=groups,dc=example,dc=com" add by * none
access to dn.sub="ou=accounts,dc=example,dc=com" attrs=entry by group="cn=account-mgrs-non-staff,ou=mailing,ou=groups,dc=example,dc=com" add by * none
I'm not sure if members of account-mgrs-non-staff would be blocked from adding to ou=staff ...
Suggestions or help appreciated.
Regards
Philip