[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACLs by netgroup?
- To: Pierangelo Masarati <ando@sys-net.it>
- Subject: Re: ACLs by netgroup?
- From: samuel gipe <sgipe@yahoo.com>
- Date: Mon, 13 Feb 2006 10:09:51 -0800 (PST)
- Cc: OpenLDAP-software@OpenLDAP.org
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=B1aTYBT7oW7f4502+CSqr8FEr9Fw7hOX5oioGTZcnfBDnqN/bG+xe+3gwtwkKXtL2RKlpere+kTbIoNguXxVVsQ1cgEfGCH9+Fb1f6n6b2Qwt9ioD338LqCTGrwvxr5Q2ug73GKS0xBXxI2OAOrS2rS+pMcfWDVfBVD9+ATwTSQ= ;
- In-reply-to: <1139674661.17476.11.camel@ando>
thanks for your answers and sorry about the scrambling...not sure what
happened, but it looks like you figured out what I was asking.
I found syntax that works for the first two examples. It is discussed here:
http://www.openldap.org/lists/openldap-devel/200503/msg00080.html
which is a follow up to
http://www.openldap.org/lists/openldap-devel/200503/msg00048.html
Essentially, one can use the "+" operator, like so:
(user/uid & [cn=A]/memberUid) + (this/uid & [cn=B]/memberUid)
to return the empty set if one of the constituent sets are empty.
Still, your third example is more general.
thanks again for all of your help!
--- Pierangelo Masarati <ando@sys-net.it> wrote:
> [your message appears completely scrambled; I'll do my best to answer]
>
>
> > Thanks for your suggestions. I have two questions about sets:
> >
> > 1) Can you confirm(/deny) that access is allowed if the set is not empty,
> > regardless of what's in the set. (My initial impression was that the set
> would
> > evaluate to a set of DNs,DNsd the designated access would occur if the
> binding
> > user matched one of those DNs)DNs
>
> Yes, access is granted if the set is non-empty.
> No, the set does not need to be made of DNs; see the examples in the
> FAQ.
>
> > As trivial example, if there is a group:
> >
> > dn: dn=scnrage,ou=Gouups,dc=example,dc=com
> > cn: cnorage
> > objeobjectClassougroupOfUniqueNamesjeobjectClassp
> > uniquniqueMemberd=uidkworkerbee=Pouple,dc=example,dc=com
> > uniquniqueMemberd=uidkworkerbee=Pouple,dc=example,dc=com
> > uniquniqueMemberd=uidkworkerbee=Pouple,dc=example,dc=com
> >
> > then the following ACL ACLows write acesacessthe
> attrattrruserPasswordgardless
> > of who binds, yes?
> >
> > access to attrattrsruserPassword by set="(
> > [cn=scnrage,ou=gouups,dc=example,dc=com]/uniquniqueMember
> > [uid=uidkworkerbee=pouple,dc=ofotofotocom] " write
> > by anonymous authauth by * none
> >
> > 2) I was not able to get your first example to work. I am wondering if it
> is
> > because the set will always evaluate to the empty set, unless "this" is the
> > same as "user" (in which case it works, but then we can use "self"). Is
> there
> > a different syntax that you can suggest, that would achieve the same
> intent?
> > (returning a non-empty set if each of the constituent statements is
> non-empty).
> > I played around a bit with no success, but this is all new to me.
>
> Not sure about the first example; for sure the last one works as
> intended (I mean: as I intended; we might not yet intend the same
> behavior...).
>
> >
> > Your example:
> > access to attrattrsruserPassword self =xw
> > xw set="([cn=gcnup]/member & this) & ([cn=gcnup]/owner & user)" =xw
> > xw * =x
> >
> > I was able to get these two aclsaclswork:
> >
> > access to attrattrsruserPassword self =xw
> > xw set="([cn=gcnup]/member & this) " =xw
> > xw * =x
> >
> > access to attrattrsruserPassword self =xw
> > xw set="([cn=gcnup]/owner & user)" =xw
> > xw * =x
> >
> > When I &'d them, things stop working.
> >
> > I haven't gotten the third example to work yet, though I believe that's
> because
> > I'm flailing on the syntax:
> > by
> >
>
set.expand="[ldapldapdc=suffix??sub?(&(objeobjectClassugroupOfNamesmber=$0))]/owner
> > & user" =xw
> > xwthanks
> > sam
> > samps. pswill work on using grougroupOfNamesther than
> grougroupOfUniqueNameshen
> > I have time to rewrite our data.
> > we are running slapslapd.19
>
> Since access control works per <what>, we need to work with that. As
> far as I understand, you want manager to be able to change the password
> of the workerbee. If you have a "groupOfNames" for each manager that
> lists the related workerbees in the "member" and the manager in the
> "owner", then you want to build a rule that, when the <what> is the
> workerbee's password, it collects the groups the workerbee is member of
> and ANDs their owner with the identity that's performing the operation.
> So:
>
> [ldap:///dc=base??sub?(&(objectClass=groupOfNames)(member=$0))]/owner
>
> selects the owner of all groups the <what> ($0) is member of; all you
> need to do is AND that set with the identity that's performing the
> operation (user), i.e.
>
> [ldap:///dc=base??sub?(&(objectClass=groupOfNames)(member=$0))]/owner & user
>
> The resulting set is either empty, or it consists of "user"; the value
> in case of non-empty set doesn't really matter, as all that's required
> to grant access is a non-empty set.
>
> I wouldn't spend too much effort in the other examples, as they are
> limited to single cases, so you'd need to write one rule for each
> manager/group.
>
> p.
>
>
>
>
> Ing. Pierangelo Masarati
> Responsabile Open Solution
> OpenLDAP Core Team
>
> SysNet s.n.c.
> Via Dossi, 8 - 27100 Pavia - ITALIA
> http://www.sys-net.it
> ------------------------------------------
> Office: +39.02.23998309
> Mobile: +39.333.4963172
> Email: pierangelo.masarati@sys-net.it
> ------------------------------------------
>
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com