[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL -> peer and domain

To: <openldap-software@OpenLDAP.org>
Subject: ACL -> peer and domain
From: "Tarjei Huse" <tarjei@nu.no>
Date: Fri, 24 Aug 2001 15:10:02 +0200
References: <3B8645D1.1C1C0DC9@gerichhausen.de> <3B865090.E4F849EC@aero.polimi.it>

What acl roules are available to set ACLs on the basis of ipadress or
domainname?

I've heard about them (think its peername and domain) but I need to se some
syntax examples.

Tarjei
----- Original Message -----
From: "Pierangelo Masarati" <masarati@aero.polimi.it>
To: "Timo" <timo@gerichhausen.de>
Cc: <openldap-software@OpenLDAP.org>
Sent: Friday, August 24, 2001 3:03 PM
Subject: Re: Access Control - Variables


> Timo wrote:
> >
> > Dear List!
> >
> > Is it possible to use Variables in ACL rules?
> >
> > I'm trying to implement an access-control structure for a
> > hardware-management-database.
> > Since it will be used for multiple customers, each customer should only
> > "see" their hardware.
> >
> > The customers will be in
> > cn=XY, ou=people, o=customerorganisation, ou=customers, o=myorganisation
> >
> > Their hardware will be in
> > myobject=XYZ, o=customerorganisation, ou=customers, o=myorganisation
> >
> > The people of my organisation (who will get write access to everything)
> > will be in
> > cn=xy, ou=peole, o=myorganisation
> >
> > So my ACL has to look somehow like this:
> > access to dn="myobject=XYZ, o=$1, ou=customers, o=myorganisation"
> >         by dn="cn=*,ou=peole, o=myorganisation" write
> >         by dn="cn=XY, ou=people, o=$1, ou=customers, o=myorganisation"
> > write
> >
> > Somewhere I've seen ACL-descriptions like these:
> > access to dn="(.*)?, o=$1, ou=customers, o=myorganisation"
> >         by dn="(.*)?, ou=peole, o=myorganisation" write
> >         by dn="(.*)?, ou=people, o=$1, ou=customers, o=myorganisation"
> > write
> >
> > My Questions:
> > A: Will both of the above ACLS work, and, if, where is the difference?
> > B: Will the Variable "o=$1" work? If not, how can I get a similar result
> > without hard-coding
> >    every customer in the ACL?
>
> You can use regex pattern substitution in the form:
>
> access to dn=".*ou=([^,]+),o=myorganization"
> by dn="cn=admin,ou=$1,o=myorganization" write
> by * read
>
> so, if you call "cn=admin,ou=customer X,o=myorganization"
> the administrator of "customer X", then it can access
> all data below "ou=customer X,o=myorganization"
>
> Pierangelo.
>
>
> --
> Dr. Pierangelo Masarati               | voice: +39 02 2399 8309
> Dip. Ing. Aerospaziale                | fax:   +39 02 2399 8334
> Politecnico di Milano                 | mailto:masarati@aero.polimi.it
> via La Masa 34, 20156 Milano, Italy   |
> http://www.aero.polimi.it/~masarati
>
>

References:
- Access Control - Variables
  - From: Timo <timo@gerichhausen.de>
- Re: Access Control - Variables
  - From: Pierangelo Masarati <masarati@aero.polimi.it>

Prev by Date: Re: anyone else with 4dc's having problems
Next by Date: SASL authentication - please help
Index(es):
- Chronological
- Thread