Re: LDAP ACL controls inside LDAP

[Chris Hamilton <chris@ambigc.com>]

OK, I have done some more work here and produced a more complete acl I 
think that does what I want.  I don't have a good enough test tree to 
check, so
I will generate that next :).

Are _'s valid in dn's?
Not sure about set syntax either.

Below is the acls.  Any observations appreciated.
#
#Permission Members that aren't dn's
#
#_USER_ any authenticated 'user'
#
#_ANON_ any 'anonymous' bind
#
#May need to add DNs as 'groups' for these to work
#since member is supposed to be a specific DN.

#No need for access to root object stub which fails regexs.
#All perms are for children of an object, objects must be
#first created/setup by admin/write user of a parent. Default is no
#modify access to your own entry.

#For now we allow explicit _NONE_ access to remove permissions of a subtree.
#(As opposed to closest perm for user, which is quite hard/dangerous.)

#Block access to reading passwords (Could write them though we are 
always krbed right? :))
access to attr=userpassword
#       by self write
       by * compare

access to dn="(.*), (.*)"
#root ldapi perms
       by sockurl="^ldapi:///$" write
#Admin privs
       by group="cn=_ADMIN_, $2" write
#Owner privs
       by group="cn=_OWNER_, $1, $2" write
#Explicit revoking of access, assumes higher privilege normally available
       by group="cn=_NONE_, $2" none
#       Cannot _NONE_ _USER_ or bad things occur
#Write only access
       by group="cn=_WRITE_, $2" +w continue
#Explicit Read only access
       by group="cn=_READ_, $2" +r continue
#Explicit List only access
       by group="cn=_SEARCH_, $2" +s continue
#Explicit Compare only access
       by group="cn=_COMPARE_, $2" +c continue
#Explicit Auth only access though it is the default
       by group="cn=_AUTH_, $2" +x continue
#anonymous and user inherit anonymous perms
       by set=[cn=_ADMIN_, $2].member* & [_ANON_] write
       by set=[cn=_WRITE_, $2].member* & [_ANON_] +w continue
       by set=[cn=_READ_, $2].member* & [_ANON_] +r continue
       by set=[cn=_SEARCH_, $2].member* & [_ANON_] +s continue
       by set=[cn=_COMPARE_, $2].member* & [_ANON_] +c continue
       by set=[cn=_AUTH_, $2].member* & [_ANON_] +x continue
       by anonymous +x break
#user inherit additional generic user perms
       by set=[cn=_ADMIN_, $2].member* & [_USER_] write
       by set=[cn=_WRITE_, $2].member* & [_USER_] +w continue
       by set=[cn=_READ_, $2].member* & [_USER_] +r continue
       by set=[cn=_SEARCH_, $2].member* & [_USER_] +s continue
       by set=[cn=_COMPARE_, $2].member* & [_USER_] +c continue
       by set=[cn=_AUTH_, $2].member* & [_USER_] +x continue
       by user +x break

#It would be nice to shove this up above
access to dn="(.*), (.*)"
        by user +x break
        by set=[cn=_NONE_, $2].member* & [_ANON_] none

#You are here, so you ain't an admin of dn now are ya?
#dn names to block
#_ADMIN_
#_OWNER_
#_WRITE_
#_READ_
#_SEARCH_
#_COMPARE_
#_AUTH_ - No point in having these groups...
#_NONE_
#No access to any permission lists
access to dn="cn=_ADMIN_, (.*)"
       by * none
access to dn="cn=_OWNER_, (.*)"
       by * none
access to dn="cn=_WRITE_, (.*)"
       by * none
access to dn="cn=_READ_, (.*)"
       by * none
access to dn="cn=_SEARCH_, (.*)"
       by * none
access to dn="cn=_COMPARE_, (.*)"
       by * none
access to dn="cn=_AUTH_, (.*)"
       by * none
access to dn="cn=_NONE_, (.*)"
       by * none

#How did you get here?
access to * by * none




Chris Hamilton wrote:

> ....
>
> Thanks,
> Chris Hamilton