[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Subordinate ACL question

To: lukeh@padl.com
Subject: Re: Subordinate ACL question
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Tue, 9 Nov 2004 11:29:23 +0100 (CET)
Cc: openldap-software@OpenLDAP.org
Importance: Normal
In-reply-to: <200411090936.iA99abHE054319@au.padl.com>
References: <200411090936.iA99abHE054319@au.padl.com>
User-agent: SquirrelMail/1.4.3a-1

>
> Is the following sufficient to allow members of group cn=BAR to create
> entries of objectClass favouriteDrink under cn=FOO? (Obviously the DNs
> and object class are hypothetical.)
>
> access to dn.children=cn=FOO attrs=children,entry,@favouriteDrink
> 	by group/group/member.exact=cn=BAR write
>
> I'm a bit confused as the examples I've seen seem to show different
> ACLs for access to children and entry. I'm using the following ACLs
> successfully to allow principals to create subordinate entries to
> themselves:
>
> access to dn.regex="^cn=([^,]+),cn=FOO" attrs=children
> 	by dn.exact,expand="cn=$1,cn=BAR" write
>
> access to dn.regex="^[^,]+,cn=([^,]+),cn=FOO" attrs=entry,@favouriteDrink
> 	by dn.exact,expand="cn=$1,cn=BAR" write
>

Yes.  I suggest a couple of improvements/fixes:
1) favouriteDrink is an attributeType; "@" is used to indicate the
attributeType collection that's required/allowed for an objectClass, I
assume that's what you meant, so the example is wrong and your intention
is to apply the rule to an objectClass.
2) use a trailing '$' in regex patterns.
3) in the first rule, you can expand "$0" instead (at least with HEAD code)

To summarize, your rules could look like

access to dn.regex="^cn=[^,]+,cn=FOO$" attrs=children
	by dn.exact,expand="$0" write

access to dn.regex="^[^,]+,cn=([^,]+),cn=FOO$" attrs=entry,@inetOrgPerson
	by dn.exact,expand="cn=$1,cn=BAR" write

Or, if you can get rid of the "cn=" prefix to the patterns, you can
simplify even further (in HEAD):

access to dn.onelevel="cn=FOO" attrs=children
	by dn.exact,expand="$0" write

access to dn.regex="^[^,]+,cn=([^,]+),cn=FOO$" attrs=entry,@inetOrgPerson
	by dn.exact,expand="cn=$1,cn=BAR" write



> A corollary of my first question is whether these can be collapsed
> to:
>
> access to dn.regex="^cn=([^,]+),cn=FOO"
> attrs=children,entry,@favouriteDrink
> 	by dn.exact,expand="cn=$1,cn=BAR" write

No.  In this case, the target is always "^cn=([^,]+),cn=FOO", so you
aregiving children (correct), entry and @<objectClass> access
(unnecessary) to the entries matching the pattern above, while you're not
giving any access to their children, which is what you essentially need.

Ciao, p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

Follow-Ups:
- Re: Subordinate ACL question
  - From: Luke Howard <lukeh@padl.com>

References:
- Subordinate ACL question
  - From: Luke Howard <lukeh@padl.com>

Prev by Date: Subordinate ACL question
Next by Date: Re: Subordinate ACL question
Index(es):
- Chronological
- Thread