[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: I need some help w/ACLs

To: "Rob Tanner" <rtanner@linfield.edu>
Subject: Re: I need some help w/ACLs
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Thu, 18 Nov 2004 23:05:27 +0100 (CET)
Cc: openldap-software@OpenLDAP.org
Domainkey-signature: a=rsa-sha1; s=mail; d=sys-net.it; c=simple; q=dns; b=YkogATArF/8eyrZUlSxtx9bF3aQJ1DcHGE70tDNuSn4glH3ErllGGobDnlcI2ihEo q5okHoXdeDyknPGPGQcJw==
Importance: Normal
In-reply-to: <7AFB58F5847E2A37B21F7DD7@oberon.linfield.edu>
References: <7AFB58F5847E2A37B21F7DD7@oberon.linfield.edu>
User-agent: SquirrelMail/1.4.3a-1

> We maintain email lists on LDAP for every course section offered at the
> college, and I am moving it from a Netscape Server to OpenLDAP.  The LDAP
> structure is a hierarchy of many branches.  Basically, a course list entry
> DN
> for a course section in computer science, looks like this:
>
>    uid=2004FA-CSC12001,ou=csc,ou=classlists,o=linfield.edu
>
> The actual entry is in the computer science hierarchy (ou=csc) and the
> computer science hierarchy is in the class lists hierarchy
> (ou=classlists). I
> need to set up ACLs in OpenLDAP that are functionally equivalent to those
> in
> the Netscape Server.
>
> The actual courselist entry has an owner attribute containing one or more
> DNs.  These are the faculty who need to be able to view and modify the
> entry.
> That's straight forward enough and not a problem.

# something like
access to dn.regex="^uid=[^,]+,ou=[^,]+,ou=classlists,o=linfield.edu$"
    by dnattr=owner write

> However, each subject
> hiearchy entry (DN: ou=<subject>,ou=classlists,o=linfield.edu) has a
> uniquemember attribute containg the DNs of those who can view and modify
> any
> entry in that particular hierarchy.

# something like, assuming the uniqueMember attribute
# implies a groupOfUniqueNames objectClass,
access to dn.regex="^uid=[^,]+,(ou=[^,]+,ou=classlists,o=linfield.edu)$"
    by group/groupOfUniqueNames/uniqueMember.expand="$1" write


> And the classlists hierarchy (DN:
> ou=classlists,o=linfield.edu) has a uniquememeber attribute containg the
> DNs
> of those who can view and modify any courselist entry.

# something like
access to dn.regex="^uid=[^,]+,ou=[^,]+,ou=classlists,o=linfield.edu$"
    by
group/groupOfUniqueNames/uniqueMember="ou=classlists,o=linfield.edu"
write


>
> I'm not at all sure how to setup the ACLs to accomplish that access.  Does
> anybody have any guides, or maybe done something similar you'd be willing
> to
> share?

# so, to summarize
access to dn.regex="^uid=[^,]+,(ou=[^,]+,ou=classlists,o=linfield.edu)$"
    by dnattr=owner write
    by group/groupOfUniqueNames/uniqueMember.expand="$1" write
    by
group/groupOfUniqueNames/uniqueMember="ou=classlists,o=linfield.edu"
write

You don't specify the version of OpenLDAP; this may imply slight
differences (e.g. in the <groupstyle>) but a look at slapd.access(5) for
the version you're using should clarify issues; the required features are
available ever since.

p.


-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

References:
- I need some help w/ACLs
  - From: Rob Tanner <rtanner@linfield.edu>

Prev by Date: Audit Suite
Next by Date: Re: Building openldap with overlays
Index(es):
- Chronological
- Thread