LDAP administrators for sub-domains
I am setting up an LDAP server which will contain back-end data for hosting a
number of domains. Each domain will have it's own sub-tree and it's own
administrator which is to have write access to the sub-tree.
Currently I have implemented this through security checking in the
application and the following ACL:
access to dn=".*,ou=customers,dc=xxx,dc=nl"
by dn=".*,ou=staff,dc=xxx,dc=nl" write
by dn="uid=.*,ou=.*,ou=customers,dc=xxx,dc=nl" write
So staff of my company can write to any account in LDAP and any administrator
(someone with a dn that starts with "uid") can write to any company (the
applications are being written not to allow administrator from customerA to
write to the tree of customerB).
I would like to have this in my LDAP ACLs. Is there any way I can do this
through groups etc?
--
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/projects.html Projects I am working on
http://www.coker.com.au/~russell/ My home page
Reply to: