Is there an elegant way to limit simpleSecurityObject users to reading
and searching within their own ou? Perhaps using an ACL based on a
regular expression?
Some background: I'm adding LDAP support to Enswitch, which is a
soft-switch for multi-tenant hosted telephone services. An Enswitch
system has many tenants, each of which is typically a small company.
Each tenant is completely independent and for privacy reasons must not
be able to see any other tenant on the system. Each tenant has people
and telephones. The telephones are physical VoIP telephones that sit on
the users' desks, and they have LDAP clients built-in that allow the
telephone to search for people within their tenant. Each telephone and
each person has a corresponding entry in Enswitch. These are stored in a
MySQL database, and pushed to the LDAP server by the Enswitch code. This
part is done and working. I'm storing each tenant as a separate ou below
the LDAP base, and within the tenant storing each person as a
inetOrgPerson and each telephone as a simpleSecurityObject. I have
anonymous access to LDAP disabled. This allows the telephones to connect
to the LDAP server with their username and password and search for
people. The only part missing is limiting the telephone lines to
searching within their own tenant (i.e. the same ou).
Any suggestions on how to do this? If this is not feasible using the ou
method, I'm willing to consider other methods such as groups.
--
Alistair Cunningham
+1 888 468 3111
+44 20 799 39 799
https://enswitch.com/
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
