ACL for Debian-Edu/Skolelinux

To: gosa@oss.gonicus.de
Cc: debian-edu@lists.debian.org
Subject: ACL for Debian-Edu/Skolelinux
From: "Andreas B. Mundt" <andi.mundt@web.de>
Date: Fri, 28 May 2010 19:19:23 +0200
Message-id: <[🔎] 20100528171923.GA8487@flashgordon>
Mail-followup-to: gosa@oss.gonicus.de, debian-edu@lists.debian.org

Hi all,

currently I am trying to define and preconfigure the gosa ldap tree to
include ACLs for easy administration of all users in our schools out
of the box. The handling of ACLs in GOsa seems to be rather flexible,
so let me outline my ideas how to do it and please comment if there
are better ways.

So far, our LDAP tree contains two departments: Teachers and
Students. Depending on the school, the students' department might contain
departments for each class or age or whatever, but this will be done
by the school's admin.  

To allow other users to help the super-admin which has all possible
rights, I defined two ACL roles (besides password changes allowed for
all users): 
	* admin (standard access for administration of all users;
	  members have to be added individually)

	* junior-admin (allowed to access only students department,
          teachers should be in this group by default, students have
          to be added individually)

Both roles extend over the complete subtree (permanent) of the object
they are associated with.

If I understand things correctly, I can place the objects defining
these roles anywhere in the LDAP-tree, I choose the base.

Up to now, no user and object is related to the defined ACL-roles. I
create an ACL-assignment for the subtree (permanent) "students" and
associate the junior-admin role with this subtree. As members I use
all users in the posix group "teachers". Students can be added to this
ACL individually. 

To associate the admin ACL with an object, I add an ACL to the base
with the admin-role (members have to be added individually, so after
installation this ACL will be empty or might contain the posix adm
group). 

I am not sure if I need the admin and junior-admin roles, because with
the described setup, access is controlled by the limitation on only
the students subtree for the junior-admin. So a single admin role (or
direct association with the department) would suffice too. 
Discrimination between admin and junior-admin is then done only 
by adding the members to the ACL associated with the base (admin) or
students department (junior-admin).

Any hints, tips or recommendations?

Thanks in advance,

       Andi

Reply to:

Prev by Date: Bug#583540: [INTL:es] Spanish debconf template translation for sitesummary
Next by Date: Content and translation status for the rosegarden manual
Previous by thread: Bug#583540: [INTL:es] Spanish debconf template translation for sitesummary
Next by thread: Processed: Fix version number for some edu related bugs
Index(es):
- Date
- Thread