I'm designing new directory for keeping records about our company
computers, accounts, etc... I would like to have number of different
access levels like support, management, network technician,... Every
entry would have multivalued attribute named for example accessclass to
determine its access and there would be role for every access level.
What is the best way to implement ACIs like "allow access to every entry
with attribute accessclass=support for every member of role support"?
I've found out that there are 3 options:
1) Create separate ACI for each access class
2) Create Macro ACI using something like
roledn = "ldap:///($attr.accessclass),ou=roles,dc=....."
But it seems, that this macro expands to accessclass=support,ou=roles,..
and thus my roles would need to be named using accessclass attribute
instead of common name...
3) Create ACI using userattr like this:
userattr = "accessclass#ROLEDN"
but this would require to have complete role RDN in user accessclass
attribute.
Which way would you suggest?
Radek