Hi,
I have a problem of long and complex ACLs which I need to improve. Therefore, I am thinking of a way to change privilege (access) management.
I have dc=example,dc=com, with branches ou=people, ou=aliases (for email use), ou=dns (dns entries), ou=Groups.
In ou=Groups entries are of the form: dn: cn=TechAdmins,ou=Groups,dc=example,dc=com objectClass: groupOfNames cn: TechAdmins member: uid=jack,ou=people,dc=example,dc=com member: uid=jeff,ou=people,dc=example,dc=com
I would like to be able to control access to any and all entries based on attributes (to be added to the entries) which specify a group to be used for administration.
So, for example, I could add to all entries an AUXiliary objectClass (hypothetical at the moment) "AdminGroupOwnership" with (multi-valued) attributes: AdminGroups and ReadGroups, SearchGroups with values of the form: cn=<groupname>,ou=Groups,dc=example,dc=com. Members of the first would have write access, members of the second would have read access, and members of the third would have search access only.
I would like to ask the list: 1. Can someone demonstrate how we should formulate an ACL which would accomplish the above? The ACL should say: access to <some entries> <some attribute> by {a DN which belongs to a Group specified in the AdminGroups attr of the entry} write by {a DN which belongs to a Group specified in the ReadGroups attr of the entry} read by {a DN which belongs to a Group specified in the SearchGroups attr of the entry} search
2. Is there an existing (included in the distribution or available from a third-party) schema or similar mechanism available (so that I don't re-invent the wheel)?
Thanks in advance, Nick