I'm trying to store ACL permissions to LDAP. I have permission for users and for groups (user belongs to many groups). Here is structure i create:
ou=Groups
cn=Admin [posixGroup] {memberUid=andrew, memberUid=johny}
cn=Right {resource:ftp1, action:all}
cn=Right {resource:ftp2, action:all}
cn=Editor [posixGroup] {memberUid=joseph}
cn=Right {resource:ftp1, action:list}
ou=People
cn=andrew {uid=andrew}
cn=Right {resource:ftp3, action:all}
cn=johny {uid=johny}
cn=joseph {uid=joseph}
there are attributes in brackets {}. Well, in time when andrew connects to ftp3, i'd like to check permissions so i query:
(|(memberUid=andrew)(uid=andrew))
but i get only parent elements of cn=Rights : cn=andrew and cn=Admin. Is it possible to write query to return cn=Right elements using filter by memberUid uid elements defined in parents? Or structure has to be changed some way. Thank you very much, for your time. Andrew
With your current schema, I believe you'd have to do two sets of queries:
Rightentry, setting the base DN to the entry you found in step 1.Or you could change the structure so that users and groups have multi-value
rightentries, perhaps something like:Your query would be the same, but you'd get the
rightattributes in the returned set (without having to do any further queries). Or, if you know the service and permission level requested at the time you make the query, you can put that in, too:If you get at least one result, then you know you can grant access; otherwise, deny access.