[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Subordinate ACL question

To: lukeh@padl.com
Subject: Re: Subordinate ACL question
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Tue, 9 Nov 2004 12:06:37 +0100 (CET)
Cc: openldap-software@OpenLDAP.org
Importance: Normal
In-reply-to: <200411091043.iA9AhD1K057496@au.padl.com>
References: <200411090936.iA99abHE054319@au.padl.com> <60915.131.175.154.56.1099996163.squirrel@131.175.154.56> <200411091043.iA9AhD1K057496@au.padl.com>
User-agent: SquirrelMail/1.4.3a-1

>
>>1) favouriteDrink is an attributeType; "@" is used to indicate the
>>attributeType collection that's required/allowed for an objectClass, I
>>assume that's what you meant, so the example is wrong and your intention
>>is to apply the rule to an objectClass.
>
> Correct, the example was wrong. Sorry about that! I'll use "pilotPerson"
> below.

:)

>
>>2) use a trailing '$' in regex patterns.
>
> Ah, again, I lose for making up a contrived example. The actual ACL
> has a trailing '$'.

:))

>
>>3) in the first rule, you can expand "$0" instead (at least with HEAD
>> code)
>
> I'm using 2.2.18.

see the correction to my posting ("by self write"!)

>
>>> A corollary of my first question is whether these can be collapsed
>>> to:
>>>
>>> access to dn.regex="^cn=([^,]+),cn=FOO"
>>> attrs=children,entry,@pilotPerson
>>> 	by dn.exact,expand="cn=$1,cn=BAR" write
>>
>>No.  In this case, the target is always "^cn=([^,]+),cn=FOO", so you
>>aregiving children (correct), entry and @<objectClass> access
>>(unnecessary) to the entries matching the pattern above, while you're not
>>giving any access to their children, which is what you essentially need.
>
> Ah, thanks. I think I understand that. Going back to the first example,
> will:
>
> 	access to dn.children="cn=FOO" attrs=children,entry,@pilotPerson
> 		by dn.exact="CN=BAR" write
>
> suffice to give CN=BAR authorization to create entries of object
> class pilotPersons under cn=FOO, or do I still need too separate
> rules?

No, because the "dn.children" specification targets only the children of
"cn=FOO", so you'd still miss the "children" access to "cn=FOO" itself
(too many "children", though!).

My understanding is that you want to confine in one rule all is required
to allow entry addition.  This can be done at the cost of giving away more
rights than strictly required.  You need a <what> clause <dn> pattern that
matches both the parent and the newborn entry; in this case you can
simultaneously give access to "children", "entry" and "<attrlist>", at the
cost of giving the same access rights to the children of the newborn
entry, and to the parent's "entry" and "attrlist" attributes.  In your
case, I guess the only option is to use (going back to your very initial
example):

access to dn.regex="^(([^,]+),)?cn=([^,]+),CN=FOO$"
attrs=entry,children,@pilotPerson
    by dn.exact,expand="cn=$3,CN=FOO" write

This matches exactly "^cn=([^,]+),CN=FOO$" or a direct child of it.  Hope
it helps.

Ciao, p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

Follow-Ups:
- Re: Subordinate ACL question
  - From: Luke Howard <lukeh@padl.com>

References:
- Subordinate ACL question
  - From: Luke Howard <lukeh@padl.com>
- Re: Subordinate ACL question
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: Subordinate ACL question
  - From: Luke Howard <lukeh@padl.com>

Prev by Date: Re: Subordinate ACL question
Next by Date: Re: ACLs: 'and' clause in ACLs
Index(es):
- Chronological
- Thread