hi,
I plan the new ACL layout for our Wheezy LDAP server.
Our layout:
Main suffix: dc=example,dc=com
than the first department:
ou=department1,dc=example,dc=com ou=people,ou=department1,dc=example,dc=com uid=foobar,ou=people,ou=department1,dc=example,dc=com [...]
ou=groups,ou=department1,dc=example,dc=com gid=students,ou=groups,ou=department1,dc=example,dc=com [...]
ou=roles,ou=department1,dc=example,dc=com cn=mail,ou=roles,ou=department1,dc=example,dc=com cn=admins,ou=roles,ou=department1,dc=example,dc=com
ou=services,ou=department1,dc=example,dc=com ou=mail,ou=services,ou=department1,dc=example,dc=com cn=aliases,ou=mail,ou=services,ou=department1,dc=example,dc=com [...]
next department2, the same:
ou=department2,dc=example,dc=com ou=people,ou=department2,dc=example,dc=com uid=foobar,ou=people,ou=department2,dc=example,dc=com
[...] [...] ....
complete the same one, as department1
Now I stuck on the ACLs. I want to make use of RegEx, so that every department has its own roles, groups and admins and access only to there (for example) services.
What I already have:
{0}to attrs=userPassword,shadowLastChange,sambaLMPassword,sambaNTpassword by self =xw by anonymous auth by * none
{1}to dn.regex="uid=(.+),ou=people,ou=(.+),dc=example,dc=com$" attrs="myFB,myStudiengang,gender,myMatrikel,myTudUserUniqueID" by self read by * none
{2}to dn.regex="uid=(.+),ou=people,ou=(.+),dc=example,dc=com$" attrs="mail,myMailalias,myMailDomain,myNoMail" by self read by dn.regex="cn=mail,ou=roles,ou=$2,dc=example,dc=com$" read by * none
{3}to dn.regex="^(.+,)?ou=mail,ou=services,ou=(.+)?,dc=example,dc=com$" by dn.regex="cn=mail,ou=roles,ou=$2,dc=example,dc=com$" read
{4}to dn.regex="^(.+,)?ou=services,ou=(.+,)?dc=example,dc=com$" by * none
{5}to * by dn.base="cn=Admin,dc=example,dc=com" write by * read
{6}to dn.base="dc=example,dc=com" by self write by dn.base="cn=Admin,dc=example,dc=com" write by * read
I'm able to read the subtree:
"ou=mail,ou=services,ou=department1,dc=example,dc=com"
only with the
authenticated user "cn=mail,ou=roles,ou=department1,dc=example,dc=com"
and
"ou=mail,ou=services,ou=department2,dc=example,dc=com"
with
authenticated user "cn=mail,ou=roles,ou=department2,dc=example,dc=com"
and I can't search with user from ou=department2 the service tree from ou=department1 :-)
But, why I can't see the "ou=services,ou=department2,dc=example,dc=com" ? Just for me to know, where I have a problem ... for the services (Postfix in most cases) it isn't important, that they can't see the "ou=services"
Also I want to make sure, that every department "admin group" (cn=admins,ou=roles,ou=<department>,dc=example,dc=com -> groupOfUniqueNames) can do everything under there (and only) three ou=<department>,ou=example,ou=com
so, any tipps are welcome :-)
cu denny
pages I have already open:
http://www.openldap.org/doc/admin24/access-control.html http://wiki.mandriva.com/fr/uploads/3/3a/Mandriva-dit-access-template.conf http://www.openldap.org/devel/admin/slapdconf2.html