[Date Prev][Date Next] [Chronological] [Thread] [Top]

Another ACL question about set usage

To: openldap-software@OpenLDAP.org
Subject: Another ACL question about set usage
From: manu@netbsd.org (Emmanuel Dreyfus)
Date: Sat, 17 Feb 2007 15:16:40 +0100
User-agent: MacSOUP/2.7 (unregistered)

Hello

sets ACL are definitvely hard to work with. But perhaps my schema is
just plain wrong. Any hint (how to build the ACL or how to redesign the
schema) is welcome. Here is the problem:

A) The schema
I have three clases:, ou, person, mailAddress

1) persons are children of ou. They have three interesting attribute:
        ou: the ou they belong to
        mail: the mail addresses they receive mail from (multivalued)
        uid: the person's acount login

A person's DN is like uid=jdoe,ou=sales,dc=example,dc=net


2) mailAddress holds a bunch of parameters about a mail address. It has
a mail attribute. A mailAddress DN is like
mail=John.Doe@example.net,dc=example,dc=net

mailAddress are not children of ou, since several persons of different
ou may receive mail through the same address.


3) ou have two interesting attrbiutes:
        ou: the unit name
        manager: DN of persons acting as managers (multivalued)
An ou DN is like ou=sales,dc=example,dc=net



B) The goals

1) a person must be able to modify a mailAddress when it receives mail
from this address. This is done by an ACL clause like this (obtained
from this mailing list)
    by set.exact="this/mail & user/mail" write
It works very well. That goal is fullfilled.


2) a user listed as a manager for an ou must be able to modify the
persons within the ou. I've came to the following:

access to dn.regex="uid=.+,ou=(.+),dc=example,dc=net$"
    by set.expand="[ou=$1,dc=example,dc=net]/manager* & user" write

That works, though it seems to be very poor on the performance front. I
tried something more simplier, such as:
     by set.exact="this/ou/manager & user"
or that way:
     by set.exact="(this/ou+[,dc=example,dc=net])/manager & user"
but it does not work, I have no idea why. I'm very curious to learn
what's wrong here.

3) The trickiest part, for which I have no solution: a user listed as a
manager for an ou must be able to modify the mailAddress that a user he
can modify could modify.

I can try to rephrase this a bit better. If I have the following
(mailAddress, person, ou) triplet
dn: mail=W,dc=example,dc=net

dn: uid=X,ou=Y,dc=example.dc=net
mail: W

dn: ou=Y,dc=example,dc=net
manager: Z

I want user Z to be able to modify mailAddress W

Here is an attempt that does not work
   by set.exact="
    ([uid=*,ou=] + ([manager=] + user)/ou*) + [,dc=example,dc=net])/mail
    & this/mail" write

I also attempted various tricks with ldap:/// lookups, but no luck.

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@netbsd.org

Follow-Ups:
- Re: Another ACL question about set usage
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: Another ACL question about set usage
  - From: Howard Chu <hyc@symas.com>

Prev by Date: AW: AW: slapcat hangs without error message
Next by Date: Re: Another ACL question about set usage
Index(es):
- Chronological
- Thread