[Date Prev][Date Next] [Chronological] [Thread] [Top]

Cascaded "by group" ACL



Hi 
	I have a ldap directory which has a complex tree structure 
which has about 300 nodes and a depth of about 10 levels. (It actually
respesents the organizational structure of our university). We want to have 
groups of people which have access only to a public area (subtree) of each
node. These people will also have access to similar public subtree in all 
of the subtrees below them. I.e a faculty will have access to a department's
public subtree and the department's section's public subtree. A department 
will have access to the department's section's public subtree, etc. Each node
has a private set of subtrees which only the top level adminstators have 
access.

I am using a set of ACL like the following:

access  to dn="cn=ldapadmin,ou=(.*),ou=(.*),ou=(.*),ou=(.*),ou=(.*),ou=(.*),o=T
he University of Queensland,c=AU"
	by group="cn=ldapadmin,ou=$1,ou=$2,ou=$3,ou=$4,ou=$5,ou=$6,o=The University 
of Queensland,c=AU" write
	by group="cn=ldapadmin,ou=$2,ou=$3,ou=$4,ou=$5,ou=$6,o=The University of 
Queensland,c=AU" write
	by group="cn=ldapadmin,ou=$3,ou=$4,ou=$5,ou=$6,o=The University of 
Queensland,c=AU" write
	by group="cn=ldapadmin,ou=$4,ou=$5,ou=$6,o=The University of Queensland,c=AU" 
write
	by group="cn=ldapadmin,ou=$5,ou=$6,o=The University of Queensland,c=AU" write
	by group="cn=ldapadmin,ou=$6,o=The University of Queensland,c=AU" write
	by * none

access  to dn="cn=ldapadmin,ou=(.*),ou=(.*),ou=(.*),ou=(.*),ou=(.*),o=The 
University of Queensland,c=AU"
	by group="cn=ldapadmin,ou=$1,ou=$2,ou=$3,ou=$4,ou=$5,o=The University of 
Queensland,c=AU" write
	by group="cn=ldapadmin,ou=$2,ou=$3,ou=$4,ou=$5,o=The University of 
Queensland,c=AU" write
	by group="cn=ldapadmin,ou=$3,ou=$4,ou=$5,o=The University of Queensland,c=AU" 
write
	by group="cn=ldapadmin,ou=$4,ou=$5,o=The University of Queensland,c=AU" write
	by group="cn=ldapadmin,ou=$5,o=The University of Queensland,c=AU" write
	by * none
	
access  to dn="cn=ldapadmin,ou=(.*),ou=(.*),ou=(.*),ou=(.*),o=The University 
of Queensland,c=AU"
	by group="cn=ldapadmin,ou=$1,ou=$2,ou=$3,ou=$4,o=The University of 
Queensland,c=AU" write
	by group="cn=ldapadmin,ou=$2,ou=$3,ou=$4,o=The University of Queensland,c=AU" 
write
	by group="cn=ldapadmin,ou=$3,ou=$4,o=The University of Queensland,c=AU" write
	by group="cn=ldapadmin,ou=$4,o=The University of Queensland,c=AU" write
	by * none

access  to dn="cn=ldapadmin,ou=(.*),ou=(.*),ou=(.*),o=The University of 
Queensland,c=AU"
	by group="cn=ldapadmin,ou=$1,ou=$2,ou=$3,o=The University of Queensland,c=AU" 
write
	by group="cn=ldapadmin,ou=$2,ou=$3,o=The University of Queensland,c=AU" write
	by group="cn=ldapadmin,ou=$3,o=The University of Queensland,c=AU" write
	by * none

access  to dn="cn=ldapadmin,ou=(.*),ou=(.*),o=The University of 
Queensland,c=AU"
	by group="cn=ldapadmin,ou=$1,ou=$2,o=The University of Queensland,c=AU" write
	by group="cn=ldapadmin,ou=$2,o=The University of Queensland,c=AU" write
	by * none
	
access  to dn="cn=ldapadmin,ou=(.*),o=The University of Queensland,c=AU"
	by group="cn=ldapadmin,ou=$1,o=The University of Queensland,c=AU" write
	by * none

access  to dn=".*,o=The University of Queensland,c=AU"
	by group="cn=ldapadmin,o=The University of Queensland,c=AU" write
	by * read


This is working quite well for reading actions using ldapsearch.
However write actions (using ldapmodify)  cause the server to lock up.
(A SIGHUP is ignored and I guess one of the threads gets in a bind)
If fact using a anonymous bind to modify does that same without seeing the
"Insuffient priviledge" message. Taking the cascaded ACLs out and using only

access  to dn=".*,o=The University of Queensland,c=AU"
	by group="cn=ldapadmin,o=The University of Queensland,c=AU" write
	by * read

works fine for ldapmodify. Any thoughts on the matter would be greatly appreciated.
The server is a Dec Alpha running DU4.0D. OpenLDAP version is slapd 1.1-Release compiled
with pthreads.

PS I can provide logs.
-- 

  +-----------------+------------------------------------------+
  |    _   ^   _    | Dr. Rodney McDuff                        |
  |   |\  /|\  /|   | Network Development, Prentice Centre     |
  |     \  |  /     | The University of Queensland             |
  |      \ | /      | St. Lucia, Brisbane                      |
  |       \|/       | Queensland, Australia. 4072.             |
  |<-------+------->| TELEPHONE: +61 7 3365 8220               |
  |       /|\       | FACSIMILE: +61 7 3365 4477               |
  |      / | \      | EMAIL: mcduff@prentice.uq.edu.au         |
  |     /  |  \     |                                          |
  |   |/  \|/  \|   |        Ex ignorantia ad sapientiam       |
  |    -   v   -    |            Ex luce ad tenebras           |
  +-----------------+------------------------------------------+