Hello and apologies if I'm posting this in the wrong location.
I'm trying to apply some security to my openldap repository and I'm struggling with how or even if I can express a particular constraint.
I have an ou containing inetOrgPerson's and the person's "o" attribute is the string value of the organisation "o" to which the user belongs, e.g. "Some Company Ltd".
e.g. dn=uid=12345679,ou=people,dc=thecompany,dc=co,dc=nz attr o=Some Company Ltd
The organisation "Some Company Ltd" can have subsidiary organisations, specified by the "owner" attribute of the subsidiary having the "dn" of owner organisation.
e.g. dn: o=Subsidiary Company Ltd,ou=organisations,dc=thecompany,dc=co,dc=nz having attr owner:o=Some Company Ltd,ou=organisations,dc=thecompany,dc=co,dc=nz
What I would like to do is restrict the user to having read access only to those subsidiary organisations based on the value of the user's "o" attribute. Is this a reasonable approach or should I be expressing this differently in my schema?
I hope I've expressed that reasonably clearly. Any help would be much appreciated.
Hi,
"David Clarke" pigwin32@gmail.com writes:
Hello and apologies if I'm posting this in the wrong location.
I'm trying to apply some security to my openldap repository and I'm struggling with how or even if I can express a particular constraint.
[...]
What I would like to do is restrict the user to having read access only to those subsidiary organisations based on the value of the user's "o" attribute. Is this a reasonable approach or should I be expressing this differently in my schema?
Try access control by sets http://www.openldap.org/faq/data/cache/1133.html
-Dieter
openldap-technical@openldap.org
-
David Clarke -
Dieter Kluenter