Access permissions to add new entries - openldap-technical

25 Feb 2013


      Hi
I wanted to run a scenario past everyone to see if there is a better
approach to the one I am thinking of implementing.
The OU structure we have is:
+- dc=example,dc=com
+-- ou=accounts
+--- ou=subsidiary1
+--- ou=subsidiary2
+--- ou=special
+--- ou=staff
+--- ou=the-rest
I have two groups defined - one group needs to be able to create new
entries under the staff OU, and the other group needs to be able to create
new entries under the OUs subsidiary1, subsidiary2 and the-rest. Nobody
(except for LDAP admin) should be able to create entries under OU special.
More specifically, I want group members to be able to *add* new entries but
modification and deletion of entries should only be done by the LDAP admin.
I *may* want to allow group members to modify entries in the future but
 certainly just add for now.
A couple of notes about subsidiary1/subsidiary2:
* they aren't really called that :-)
* more will get added over time, with corresponding changes in permissions
required.
In other words, I can't use a regex to match against "subsidiary", but I
want an ACL implementation that, if possible, can cope with future OUs
being created without modifying the ACLs.
So, my thinking is:
1. Have an ACL that blocks write access to "special".
2. Have an ACL that grants write access to "staff" for members of the staff
account managers group.
3. Have one ACL that grants write access to all other OUs for members of
the non-staff account managers group.
If that makes sense ...
access to dn.exact="ou=special,ou=accounts,dc=example,dc=com" attrs=children
     by * none
access to dn.exact="ou=staff,ou=accounts,dc=example,dc=com" attrs=children
by group="cn=account-mgrs-staff,ou=mailing,ou=groups,dc=example,dc=com" add
by * none
access to dn.sub="ou=staff,ou=accounts,dc=example,dc=com" attrs=entry
by group="cn=account-mgrs-staff,ou=mailing,ou=groups,dc=example,dc=com" add
by * none
How do I do the rules for the other OUs? Can I have just two rules? One to
allow access to the children attribute and one to allow access to the entry
attribute? If so, it would need to be on the OUs *beneath* ou=accounts so
that members of the group cannot create entries within ou=accounts.
So would this work?
access to dn.one="ou=accounts,dc=example,dc=com" attrs=children
by group="cn=account-mgrs-non-staff,ou=mailing,ou=groups,dc=example,dc=com"
add
by * none
access to dn.sub="ou=accounts,dc=example,dc=com" attrs=entry
by group="cn=account-mgrs-non-staff,ou=mailing,ou=groups,dc=example,dc=com"
add
by * none
I'm not sure if members of account-mgrs-non-staff would be blocked from
adding to ou=staff ...
Suggestions or help appreciated.
Regards
Philip