[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs by netgroup?

--- PierPierangeloaMasaratidoando-sys.it> wrote:

> On Mon, 2006-02-06 at 10:20 -0800, samusamuelegipete:
> 
> > Here's a more specific example of what I'd like to do:
> > 
> > Suppose we have a manager whose DN iDN
> > uid=uidebenevolentmanagerPouple,dc=example,dc=com
> > 
> > and worker bees who report to benebenevolentmanagerrlier I referred to
> these
> > people as 'reports').  Their DNs DNs:
> > dn: dnd=uidkworkerbee=Pouple,dc=example,dc=com
> > dn: dnd=uidkworkerbee=Pouple,dc=example,dc=com
> > dn: dnd=uidkworkerbee=Pouple,dc=example,dc=com
> > 
> > The workworkerbees grouped in netgnetgroupse so:
> > # storage, NetgNetgroupample.com
> > dn: dn=scnrage,ou=NougNetgroupexample,dc=com
> > objeobjectClasssNnisNetgroup> objeobjectClassp
> > cn: cnorage
> > nisNnisNetgroupTriple,workworkerbee
> > nisNnisNetgroupTriple,workworkerbee
> > nisNnisNetgroupTriple,workworkerbee
> > 
> > and in Groups, like so:
> > # storage, Groups, example.com
> > dn: dn=scnrage,ou=Gouups,dc=example,dc=com
> > cn: cnorage
> > objeobjectClassougroupOfUniqueNames> objeobjectClassp
> > uniquniqueMemberd=uidkworkerbee=Pouple,dc=example,dc=com
> > uniquniqueMemberd=uidkworkerbee=Pouple,dc=example,dc=com
> > uniquniqueMemberd=uidkworkerbee=Pouple,dc=example,dc=com
> > 
> > As you would guess, we also have many more managers,
workworkerbeestgnetgroups and
> > groups.
> > 
> > In slapslapdfconf currently allow 2 people to change the workworkerbees
passwords:
> > manager and self.  "manager" is the ldapldapager, not the
> benebenevolentmanager > 
> > slapslapdfconfks like so:
> > access to attrattrruserPassword>         by self write
> >         by dn.bdne="cn=Mcnager,dc=example,dc=com" write
> >         by anonymous authauth>         by * none
> 
> This ACL ACLincorrect, as indicated everywhere in the documentation, if
> by "ldapldapager" you mean the "rootrootdn correct one would be
> 
> access to attrattrruserPassword        by self write
>         by anonymous authauth
> 
> > I'd like to expand access to attrattrruserPasswordthat
benebenevolentmanagermay
> > write the values of attrattrruserPassword those workworkerbeesorting to
> > him/her. 
> > 
> > The best I can come up with is this:
> > access   to
> >
> dn.rdneregexd=uidrkworkerbeerkworkerbeerkworkerbeeu=Pouple,dc=example,dc=com"
> >          attrattrruserPassword>          by self write
> >          by dn.bdne="cn=Mcnager,dc=example,dc=com" write
> >          by dn.bdne="uid=uidebenevolentmanagerPouple,dc=example,dc=com"
> >          by anonymous authauth>          by * none
> > 
> > It is important to specify which of the workworkerbeessswords our
> > benebenevolentmanager update, so that we don't give him/her excessive
> access.
> > 
> > Specifying the workworkerbeesrious DNs DNsregeregexks, but also has
> drawbacks. 
> > Grouping the workworkerbeess DNs regeregexredundant with our existing
> groupings
> > (in netgnetgroups groups)...and the redundant configurations open
> opportunity
> > for configuration error.  Ideally,  we would specify the "what" portion of
> the
> > ACL ACL netgnetgroupo do so, I believe we need to use an ldapldapfilter
> return
> > the dn odneach uid uidcified in a given netgnetgroupnfortunately, I haven't
> > figured out how to do that.  Do you have suggestions?
> > 
> > An alternative would be to use "groups" to specify the DN oDNthe
workworkerbeesin
> > the "to what" portion of the ACL.ACLnfortunately,  that task also eludes
> me.  
> > Do you have suggestions?
> > 
> > In the "by who" portion of the ACL,ACLsee that you can specify DNs DNsusing
> > groups (with the syntax below).   If the same capability existed for the
> "to
> > what" portion of the ACL,ACL would be very convenient/useful (albeit more
> than 
> >  what rfc2rfc outlines).
> > 
> > by
> >
>
group/grougroupOfUniqueNamesquniqueMember=scnesomeGroupGouups,dc=example,dc=com"
> > write 
> 
> I wouldn't consider netgnetgroupsht now; also, note that there's no need
> to use grougroupOfUniqueNamesougroupOfNamesmore appropriate.  I'll also
> assume that each group has a "owner" attribute containing the related
> benevolent manager DN. DNet "cn=Gcnup" be the DN oDNone of these groups.
> An ACL ACLt does what you need would be
> 
> access to attrattrsruserPassword    by self =xw
xw    by set="([cn=gcnup]/member & this) & ([cn=gcnup]/owner & user)" =xw
xw    by * =x
> 
> If the name of the group can be partially inferred by the DN oDNthe
> "what" part, you may use a regeregexthe "what" part and an expand in the
> set, namely
> 
> access to dn.rdneregexn=[cn]+,ou=(ou,]+),dc=suffix" attrattrsruserPassword   
by self=xw
xw    by set.expand="([cn=Gcnup,ou=$oudc=suffix]/member & this) &
> ([cn=Gcnup,ou=$oudc=suffix]/owner & user)" =xw
xw    by * =x
> 
> In a more general case, you could do something like
> 
> access to attrattrsruserPassword    by self =xw
xw    by set.expand="[ldapldapdc=suffix??sub?(&
> (objeobjectClassugroupOfNamesmber=$0))]/owner & user" =xw
xw    by * =x
> 
> Anonymous must have search access to the attributes used in the filter
> of the URL.  This may be considered a bug or a feature; I think it's
> debated whether low-level access to data required to compute aggregated
> access rights should be granted by default or not.  I think this might
> be changed if consensus is reached.  Note that since the entire DN oDN
> the <what> is used in the filter, it is accessed by "$0" without the
> need to use a regeregexle for the <what> part.
> 
> p.



Thanks for your suggestions.  I have two questions about sets:

1) Can you confirm(/deny) that access is allowed if the set is not empty,
regardless of what's in the set.  (My initial impression was that the set would
evaluate to a set of DNs,DNsd the designated access would occur if the binding
user matched one of those DNs)DNs
As trivial example,  if there is a group:

dn: dn=scnrage,ou=Gouups,dc=example,dc=com
cn: cnorage
objeobjectClassougroupOfUniqueNamesjeobjectClassp
uniquniqueMemberd=uidkworkerbee=Pouple,dc=example,dc=com
uniquniqueMemberd=uidkworkerbee=Pouple,dc=example,dc=com
uniquniqueMemberd=uidkworkerbee=Pouple,dc=example,dc=com

then the following ACL ACLows write acesacessthe attrattrruserPasswordgardless
of who binds, yes?

access to attrattrsruserPassword      by set="(
[cn=scnrage,ou=gouups,dc=example,dc=com]/uniquniqueMember
[uid=uidkworkerbee=pouple,dc=ofotofotocom] " write
        by anonymous authauth      by * none

2)  I was not able to get your first example to work. I am wondering if it is
because the set will always evaluate to the empty set, unless "this" is the
same as "user" (in which case it works, but then we can use "self").   Is there
a different syntax that you can suggest, that would achieve the same intent? 
(returning a non-empty set if each of the constituent statements is non-empty).
 I played around a bit with no success, but this is all new to me.
 
Your example:
access to attrattrsruserPassword self =xw
xw set="([cn=gcnup]/member & this) & ([cn=gcnup]/owner & user)" =xw
xw * =x

I was able to get these two aclsaclswork:

access to attrattrsruserPassword self =xw
xw set="([cn=gcnup]/member & this) " =xw
xw * =x

access to attrattrsruserPassword self =xw
xw set="([cn=gcnup]/owner & user)" =xw
xw * =x

When I &'d them, things stop working.

I haven't gotten the third example to work yet, though I believe that's because
I'm flailing on the syntax:  
by
set.expand="[ldapldapdc=suffix??sub?(&(objeobjectClassugroupOfNamesmber=$0))]/owner
& user" =xw
xwthanks
sam
samps. pswill work on using grougroupOfNamesther than grougroupOfUniqueNameshen
I have time to rewrite our data.
we are running slapslapd.19

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com