[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Subordinate ACL question

To: lukeh@padl.com
Subject: Re: Subordinate ACL question
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Wed, 10 Nov 2004 09:23:38 +0100 (CET)
Cc: openldap-software@OpenLDAP.org
Importance: Normal
In-reply-to: <200411092320.iA9NKn0V096760@au.padl.com>
References: <200411090936.iA99abHE054319@au.padl.com> <60915.131.175.154.56.1099996163.squirrel@131.175.154.56> <200411091043.iA9AhD1K057496@au.padl.com> <60969.131.175.154.56.1099998397.squirrel@131.175.154.56> <200411091131.iA9BVLqd059349@au.padl.com> <4190B2DD.5030904@symas.com> <200411091224.iA9COTKX063156@au.padl.com> <1BD3C53D9F76860A985F0A34@[10.0.0.1]> <200411092320.iA9NKn0V096760@au.padl.com>
User-agent: SquirrelMail/1.4.3a-1

>
>>> Actually, I wonder if I could get away with just putting
>>> "by * break" at the end of each special-case rule, which
>>> would fall through to the "access to *" at the end.
>>
>>That's actually what I've done... I have a 400+ long ACL file with lots
>> of
>>by * break. :P
>
> It seems that this addresses my main concern (repeating default subjects
> just to give a specific subject additional access).
>
> So know I have something like (again contrived):
>
> access to attrs=favouriteDrink
> 	by group/group/member.exact="CN=Drinkers" write
> 	by * break

According to slapd.access(5)

       access to <what> [ by <who> <access> [ <control> ] ]+

the

       by * break

is an error; I've never tried anything like that, so I don't know if slapd
happily ignores it or whatever it does in response, but the man page
clearly states that the <control> field {break|continue|stop} is optional,
but the <access> field [self]{<level>|<priv>} is mandatory.  I assume
something like "+0" (i.e. permissions are not altered) is implied, but I
need to check the code and see if this should become a de-facto defalt
behavior or it should be explicitly enforced.

>
> access to attrs=entry,@pilotPerson
> 	by group/group/member.exact="CN=Pilots" write
> 	by * break
>
> access to *
> 	by group/group/member.exact="CN=Administrators" write
> 	by dn.exact="CN=Administrator" write
> 	by users read
> 	by anonymous sockurl=ldapi:// read
> 	by * auth

I'm not answering your question yet.  What you're doing looks fine to me,
although a bit involved.  In general, I'd rather favour a tree-based ACL
separation, whenever possible, rather than a content-based one.  That is,
use the "DN" pattern to identify the scope of ACLs, leaving the "attrs"
field the granularity on the access.  I understand you're having a problem
with entries that can be anywhere in the tree, and you need granularity in
selecting who can access what portions of an entry.  Then the rule is
simply: go from specific to general, which is what you're doing.  For
clarity, I usually prefer to repeat subjects, at the cost of making
administration a bit more difficult (but then, of course, you can use some
macro expansion tool to automate the generation of the ACL file, like
"sed" or "m4")m, rather than using <control> statements.

Ciao, p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

Follow-Ups:
- Re: Subordinate ACL question
  - From: Luke Howard <lukeh@padl.com>

References:
- Subordinate ACL question
  - From: Luke Howard <lukeh@padl.com>
- Re: Subordinate ACL question
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: Subordinate ACL question
  - From: Luke Howard <lukeh@padl.com>
- Re: Subordinate ACL question
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: Subordinate ACL question
  - From: Luke Howard <lukeh@padl.com>
- Re: Subordinate ACL question
  - From: Howard Chu <hyc@symas.com>
- Re: Subordinate ACL question
  - From: Luke Howard <lukeh@padl.com>
- Re: Subordinate ACL question
  - From: Quanah Gibson-Mount <quanah@stanford.edu>
- Re: Subordinate ACL question
  - From: Luke Howard <lukeh@padl.com>

Prev by Date: Re: replication problems
Next by Date: params_cache_rsa
Index(es):
- Chronological
- Thread