[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Cascaded "by group" ACL
Hi
I have a ldap directory which has a complex tree structure
which has about 300 nodes and a depth of about 10 levels. (It actually
respesents the organizational structure of our university). We want to have
groups of people which have access only to a public area (subtree) of each
node. These people will also have access to similar public subtree in all
of the subtrees below them. I.e a faculty will have access to a department's
public subtree and the department's section's public subtree. A department
will have access to the department's section's public subtree, etc. Each node
has a private set of subtrees which only the top level adminstators have
access.
I am using a set of ACL like the following:
access to dn="cn=ldapadmin,ou=(.*),ou=(.*),ou=(.*),ou=(.*),ou=(.*),ou=(.*),o=T
he University of Queensland,c=AU"
by group="cn=ldapadmin,ou=$1,ou=$2,ou=$3,ou=$4,ou=$5,ou=$6,o=The University
of Queensland,c=AU" write
by group="cn=ldapadmin,ou=$2,ou=$3,ou=$4,ou=$5,ou=$6,o=The University of
Queensland,c=AU" write
by group="cn=ldapadmin,ou=$3,ou=$4,ou=$5,ou=$6,o=The University of
Queensland,c=AU" write
by group="cn=ldapadmin,ou=$4,ou=$5,ou=$6,o=The University of Queensland,c=AU"
write
by group="cn=ldapadmin,ou=$5,ou=$6,o=The University of Queensland,c=AU" write
by group="cn=ldapadmin,ou=$6,o=The University of Queensland,c=AU" write
by * none
access to dn="cn=ldapadmin,ou=(.*),ou=(.*),ou=(.*),ou=(.*),ou=(.*),o=The
University of Queensland,c=AU"
by group="cn=ldapadmin,ou=$1,ou=$2,ou=$3,ou=$4,ou=$5,o=The University of
Queensland,c=AU" write
by group="cn=ldapadmin,ou=$2,ou=$3,ou=$4,ou=$5,o=The University of
Queensland,c=AU" write
by group="cn=ldapadmin,ou=$3,ou=$4,ou=$5,o=The University of Queensland,c=AU"
write
by group="cn=ldapadmin,ou=$4,ou=$5,o=The University of Queensland,c=AU" write
by group="cn=ldapadmin,ou=$5,o=The University of Queensland,c=AU" write
by * none
access to dn="cn=ldapadmin,ou=(.*),ou=(.*),ou=(.*),ou=(.*),o=The University
of Queensland,c=AU"
by group="cn=ldapadmin,ou=$1,ou=$2,ou=$3,ou=$4,o=The University of
Queensland,c=AU" write
by group="cn=ldapadmin,ou=$2,ou=$3,ou=$4,o=The University of Queensland,c=AU"
write
by group="cn=ldapadmin,ou=$3,ou=$4,o=The University of Queensland,c=AU" write
by group="cn=ldapadmin,ou=$4,o=The University of Queensland,c=AU" write
by * none
access to dn="cn=ldapadmin,ou=(.*),ou=(.*),ou=(.*),o=The University of
Queensland,c=AU"
by group="cn=ldapadmin,ou=$1,ou=$2,ou=$3,o=The University of Queensland,c=AU"
write
by group="cn=ldapadmin,ou=$2,ou=$3,o=The University of Queensland,c=AU" write
by group="cn=ldapadmin,ou=$3,o=The University of Queensland,c=AU" write
by * none
access to dn="cn=ldapadmin,ou=(.*),ou=(.*),o=The University of
Queensland,c=AU"
by group="cn=ldapadmin,ou=$1,ou=$2,o=The University of Queensland,c=AU" write
by group="cn=ldapadmin,ou=$2,o=The University of Queensland,c=AU" write
by * none
access to dn="cn=ldapadmin,ou=(.*),o=The University of Queensland,c=AU"
by group="cn=ldapadmin,ou=$1,o=The University of Queensland,c=AU" write
by * none
access to dn=".*,o=The University of Queensland,c=AU"
by group="cn=ldapadmin,o=The University of Queensland,c=AU" write
by * read
This is working quite well for reading actions using ldapsearch.
However write actions (using ldapmodify) cause the server to lock up.
(A SIGHUP is ignored and I guess one of the threads gets in a bind)
If fact using a anonymous bind to modify does that same without seeing the
"Insuffient priviledge" message. Taking the cascaded ACLs out and using only
access to dn=".*,o=The University of Queensland,c=AU"
by group="cn=ldapadmin,o=The University of Queensland,c=AU" write
by * read
works fine for ldapmodify. Any thoughts on the matter would be greatly appreciated.
The server is a Dec Alpha running DU4.0D. OpenLDAP version is slapd 1.1-Release compiled
with pthreads.
PS I can provide logs.
--
+-----------------+------------------------------------------+
| _ ^ _ | Dr. Rodney McDuff |
| |\ /|\ /| | Network Development, Prentice Centre |
| \ | / | The University of Queensland |
| \ | / | St. Lucia, Brisbane |
| \|/ | Queensland, Australia. 4072. |
|<-------+------->| TELEPHONE: +61 7 3365 8220 |
| /|\ | FACSIMILE: +61 7 3365 4477 |
| / | \ | EMAIL: mcduff@prentice.uq.edu.au |
| / | \ | |
| |/ \|/ \| | Ex ignorantia ad sapientiam |
| - v - | Ex luce ad tenebras |
+-----------------+------------------------------------------+