[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Tool to visualise ACL's

To: OpenLDAP-software@OpenLDAP.org
Subject: Re: Tool to visualise ACL's
From: Ace Suares <ace@suares.nl>
Date: Sun, 28 Sep 2003 09:35:05 -0400
Content-disposition: inline
In-reply-to: <3F76C220.7000201@billy.demon.nl>
References: <PHEKJLKKDLGCAEJLJPHMCEJMCBAA.douglas@gpc.edu> <200309271420.06031.ace@suares.nl> <3F76C220.7000201@billy.demon.nl>
User-agent: KMail/1.5.1

I've come a long way the past 24 hours.

Key to my efforts is a database in mysql that looks like:

CREATE TABLE acl (
  id smallint(6) unsigned NOT NULL auto_increment,
  a01 varchar(255) NOT NULL default '',
  a02 varchar(255) NOT NULL default '',
  a03 varchar(255) NOT NULL default '',
  a04 varchar(255) NOT NULL default '',
  a05 varchar(255) NOT NULL default '',
  a06 varchar(255) NOT NULL default '',
  a07 varchar(255) NOT NULL default '',
  a08 varchar(255) NOT NULL default '',
  a09 varchar(255) NOT NULL default '',
  a10 varchar(255) NOT NULL default '',
  PRIMARY KEY  (id)
);

and a awk script that looks like:

#!/bin/sh
# aclview
  /^[=<][=>]/ {

   gsub("'","\\'")

   printf("INSERT INTO acl VALUES (''")

   i=2
   while (i <= NF) {
      printf(",'%s'",$i)
   ++i
   }

   if (NF < 10){
	i = NF
	while (i <= 10) {
	   printf(",'%s'","")
           ++i
	}
   }

   printf(");\n")
  }

and a command line utility that looks like:

homer:# /usr/lib/openldap/slapd -d 128 2>&1 | sed "s/\(.\)=>/\1\n=>/g" |awk -f 
/devel/aclview/anal.awk | mysql aclview

What it does ? It stuffs every line that begins with either '=>' or '<=' into 
a database. From there I am working on a php/mysql script to display the 
results. I came pretty far but fatugue forced me to go to sleep. (Seems that 
is common for members of the human race).

(The sed stuff is there because in 2.1.22 there is some forgetting of newlines 
after lines that start with 'match').

Maybe tonight I'll post a link to the full thing. However, this method is 
really flaky; you can't do any 'real' work with your ldap server during this 
acl-viewing. 

Ideally someone would write a simple tool (suggested name: ldapaccess) that 
could be executed like this:

ldapaccess -b base -D bind_dn -w password dn [attribute]

where 'dn' is the dn of an entry you want to have info about, and without the 
optional 'attribute' it'll give you all attributes.

results would be in the form:
dn attribute access

f.i.
dc=example,dc=com entry read
dc=example,dc=com objectclass none

With that, anyone could quickly whack up a nice looking 'aclview'.

But, I am not a C coder. :-(

Cheers,
ace

> Ace Suares wrote:
> > Has anyone come up with a tool to visually represent the access a certain
> > user has to parts of the tree ?
> >
> > I Googled for 'ACL viewer' but found only something that displays access
> > to objects on MS Widows.
> >
> > I have some ideas but if anyone already know of such a tool, I'd be glad
> > to hear it.
>
> It would certainly be nice, to say the least. My best bet for this up to
> now is to use GQ for trying things out in one desktop window, whilst I
> try out slapd.access rules in one xterm, use another xterm to tail -f
> slapd.log and in yet another xterm stop and start slapd. Not the best of
> methods.
>
> Why does an old stager like yourself do:
>
> References: <PHEKJLKKDLGCAEJLJPHMCEJMCBAA.douglas@gpc.edu>
> In-Reply-To: <PHEKJLKKDLGCAEJLJPHMCEJMCBAA.douglas@gpc.edu>
>
> Best,
>
> --Tonni

References:
- RE: slapd.conf - acl question
  - From: "Douglas B. Jones" <douglas@gpc.edu>
- Tool to visualise ACL's
  - From: Ace Suares <ace@suares.nl>
- Re: Tool to visualise ACL's
  - From: Tony Earnshaw <tonni@billy.demon.nl>

Prev by Date: Re: Attribute Syntax
Next by Date: getent passwd response truncated
Index(es):
- Chronological
- Thread