[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: slapd.conf acl based on uniqueMember attribute

This is sort of what we intended with the "selfattr" ACL specifier, which I
patched in a private copy of 2.0.7 and it seems I forgot to commit it into
HEAD. I'll have to dig thru my old emails for the notes on this one.

Note that this sort of ACL is rather dangerous; if your groupOfNames object
is modifiable by its owners, then they can grant themselves write access to
any object they wish simply by setting values in the member attribute. You
need to have very careful controls on the member attribute.

Of course, the usage that I envisioned is still simpler than your case, and
not adequate for your needs.

We have an "owner" object, which contains an "account" attribute, which
lists all of the accounts that are owned by the "owner." So, an ACL like:

  access to *
    by selfattr=account write

says to check if the entry of the current logged-in user contains an
"account" attribute, and the DN of the target object is listed there, then
give write access to the target. Your indirection through an "owner"
attribute is interesting, certainly even more flexible than what I
implemented. At this point I can't think of a meaningful syntax to express
that indirection.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Kurt D.
> Zeilenga
> Sent: Saturday, May 12, 2001 5:56 PM
> To: Gerald Carter
> Cc: openldap-software@OpenLDAP.org
> Subject: Re: slapd.conf acl based on uniqueMember attribute
> At 01:20 PM 5/12/01, Gerald Carter wrote:
> >What need to be able to do is to say...
> >
> >        "for all entries that have the groupOfNames objectclass
> >        value, give the 'owner' of that entry, write access to
> >        the entry named by the DN stored in the member attribute."
> >        ^^^^^^^^^^^^^^^^^^^^^^^^^
> >
> >Does that make sense?
> Ah, that's quite different from what you said previously.
> I do not believe one can write such an ACL in OpenLDAP.