[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Tricky ACL



Title: RE: Tricky ACL

I'm using OpenLDAP 2.2.11, which I should probably upgrade to something more recent.  In 2.2.11 of slapd.access, set is "undocumented."  When it gave me the error, it said:

<attrlist> ::= <attr> [val[.<style>]=<value>] | <attr> , <attrlist>

which made me think I could have several.  Anyway, I'll try the head code and see if set works for me.



-----Original Message-----
From: Pierangelo Masarati [mailto:ando@sys-net.it]
Sent: Tue 10/12/2004 3:37 PM
To: Kasundra, Digant
Cc: openldap-software@OpenLDAP.org
Subject: Re: Tricky ACL

Kasundra, Digant wrote:


> I'm trying to figure out how to do a particularly tricky ACL. 
> Basically, I have a People branch and an Account branch.  The people
> branch has an attribute per entry called accountName which is the UID
> of their account in the account branch (the uid forms the dn of the
> account branch but the accountName attribute is just the uid, not the
> full dn).  People bind to the directory using their account entry, not
> their person entry.  I want to create an ACL such that a person bound
> to an account can read attributes associated with their person
> account.  I tried the following but slapd complained:
>
> access to dn.subtree="cn=people,dc=uta,dc=edu"
> attrs="entry,someAttribute,accountName val=$1"
> by dn.regex="uid=(.*),cn=accounts,dc=uta,dc=edu"
> peername.regex="129.107.*" read
>
> When I did this, it would complain of unknown attribute "accountName
> val=$1".
>
> Is what I am trying to do even possible?
>
You don't say what version you're using; this may impact the
availability of certain ACLs.  For HEAD code, which should be relatively
similar to 2.2.17 in this field, the slapd.access(5) man page documents
the "val" option for attributeType qualification; it says
    attrs=<attr> val[.<style>]=<attrval>
which means that only one attribute type must be present ("<attr>"); it
doesn't mention submatch (from DN?) expansion, and I'm pretty sure the
code doesn't do that.  What you want to do can be obtained by using

access to dn.subtree="cn=people,dc=uta,dc=edu"
    by set.exact="this/accountName & user/uid" read

Of course you may need more rules to make sure that "user" actually is
an account.

p.





    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497