store users and groups permission (ACL) to LDAP

Question

I'm trying to store ACL permissions to LDAP. I have permission for users and for groups (user belongs to many groups). Here is structure i create:

 ou=Groups
    cn=Admin [posixGroup] {memberUid=andrew, memberUid=johny}
       cn=Right {resource:ftp1, action:all}
       cn=Right {resource:ftp2, action:all}
    cn=Editor [posixGroup] {memberUid=joseph}
       cn=Right {resource:ftp1, action:list}
 ou=People
    cn=andrew {uid=andrew}
       cn=Right {resource:ftp3, action:all}
    cn=johny {uid=johny}
    cn=joseph {uid=joseph}

there are attributes in brackets {}. Well, in time when andrew connects to ftp3, i'd like to check permissions so i query:

(|(memberUid=andrew)(uid=andrew))

but i get only parent elements of cn=Rights : cn=andrew and cn=Admin. Is it possible to write query to return cn=Right elements using filter by memberUid uid elements defined in parents? Or structure has to be changed some way. Thank you very much, for your time. Andrew

Answer 1

With your current schema, I believe you'd have to do two sets of queries:

1. Use your existing query to find matching users and groups.
2. For each of those entries found, query each to see if it has a Right entry, setting the base DN to the entry you found in step 1.

---

Or you could change the structure so that users and groups have multi-value right entries, perhaps something like:

cn=Admin [posixGroup] {memberUid=andrew, memberUid=johny,
                       right: ftp1/all, right: ftp2/all}
cn=Editor [posixGroup] {memberUid=joseph, right: ftp1/list}
...
cn=andrew {uid=andrew, right: ftp3/all}

Your query would be the same, but you'd get the right attributes in the returned set (without having to do any further queries). Or, if you know the service and permission level requested at the time you make the query, you can put that in, too:

(&((|(memberUid=andrew)(uid=andrew)))(right=ftp3/all))

If you get at least one result, then you know you can grant access; otherwise, deny access.