OpenLDAP multi-tenant like ACL -

is possible write acl openldap implements multi-user , multi-tenancy environment. mean secure dit using 1 rule , match dynamically every customer.

example dit:

root ..customer1 ....users ......admin ......user ....objects ..customer2 ....users ......admin ......user ....objects 

what want admin user customer1 may see , write objects customer1 , customer2 users may see , write customer2 objects. same goes user of each customer, in read-only mode.

i didn't such acl working , found examples write below users entry in tree, nothing 2 levels , allow write below that. has idea how apply such acl?

thanks-

i suggest want here openldap's acl feature called sets

try like this:

olcaccess: dn.regex="^o=[^,]+,dc=example,dc=com$"   set="this/-*/manager/member* & user" write      set="this/-*/manager & user" write   set="([ldap:///cn=admin,ou=users,] + + [??sub?objectclass=inetorgperson]) & user" write   set="([ldap:///] + + [??sub?objectclass=inetorgperson]) & user" read   * none 

1. identifies objects apply rule to. in case, assumes each "client" object has dn "o=client company name,dc=example,dc=com"
2. allows member (recursively resolved, i.e. group member of group) of group assigned "manager" attribute of client object (or parent object) write client object
3. allows user directly assigned "manager" attribute of client object (or parent object) write client object
4. allows user rdn cn=admin,ou=users relative client object write it
5. allows descendant user object of client object read it