LDAP administrators for sub-domains

To: debian-isp@lists.debian.org
Subject: LDAP administrators for sub-domains
From: Russell Coker <russell@coker.com.au>
Date: Fri, 27 Apr 2001 14:54:00 +0200
Message-id: <01042714540002.01764@lyta>
Reply-to: Russell Coker <russell@coker.com.au>

I am setting up an LDAP server which will contain back-end data for hosting a 
number of domains.  Each domain will have it's own sub-tree and it's own 
administrator which is to have write access to the sub-tree.

Currently I have implemented this through security checking in the 
application and the following ACL:
access to dn=".*,ou=customers,dc=xxx,dc=nl"
        by dn=".*,ou=staff,dc=xxx,dc=nl" write
        by dn="uid=.*,ou=.*,ou=customers,dc=xxx,dc=nl" write

So staff of my company can write to any account in LDAP and any administrator 
(someone with a dn that starts with "uid") can write to any company (the 
applications are being written not to allow administrator from customerA to 
write to the tree of customerB).

I would like to have this in my LDAP ACLs.  Is there any way I can do this 
through groups etc?

-- 
http://www.coker.com.au/bonnie++/     Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/       Postal SMTP/POP benchmark
http://www.coker.com.au/projects.html Projects I am working on
http://www.coker.com.au/~russell/     My home page

Reply to:

Prev by Date: Re: system mirror
Next by Date: Re: system mirror
Previous by thread: Re: memory usage....help....
Next by thread: An LDAP authentication howto for Debian?
Index(es):
- Date
- Thread