[Date Prev][Date Next] [Chronological] [Thread] [Top]

Can I do this with OpenLDAP acls?

Using version 2.1.22, can I do the following?

Here are two entries from my LDAP directory:

# sjsobol, users, justthe.net
dn: uid=sjsobol,ou=users,dc=justthe,dc=net
uid: sjsobol
loginShell: /bin/bash
uidNumber: 500
gidNumber: 2000
homeDirectory: /home/sjsobol
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: jtnUserAccount
cn: Steve Sobol
gecos: JTN Steven J. Sobol
masterAccount: sjsobol

# m-rrb, users, justthe.net
dn: uid=m-rrb,ou=users,dc=justthe,dc=net
uid: m-rrb
uidNumber: 518
gidNumber: 2000
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: jtnUserAccount
homeDirectory: /home/m-rrb
loginShell: /bin/bash
cn: REC.RADIO.BROADCASTING Moderator Mailbox
gecos: REC.RADIO.BROADCASTING Moderator Mailbox
masterAccount: sjsobol

jtnUserAccount is an OC of my own creation that allows the masterAccount
attribute to be added to an entry. The purpose of this attribute is to
show common ownership of own or more directory entries. My schema is as
follows... (12388 is a Private Enterprise Number assigned to me by IANA.)

objectIdentifier JTNRoot
objectIdentifier JTNattributeType JTNRoot:1
objectIdentifier userAccountAttributeType JTNRoot:1.1
objectIdentifier JTNobjectClass JTNRoot:2
objectIdentifier userAccountOClassType JTNRoot:2.1
objectIdentifier JTNElement JTNRoot:3

attributeType ( userAccountAttributeType:1
              NAME 'masterAccount'
              DESC 'Master Account that controls one or more logins'
              EQUALITY caseIgnoreMatch
              SUBSTR caseIgnoreSubstringsMatch
              SYNTAX{256} )

objectclass ( userAccountOClassType:1
              NAME 'jtnUserAccount'
              SUP posixAccount
              DESC 'JustThe.net User Account'
              MUST (gecos $ masterAccount) )

Now, here's what I need to know: Can I, given the aforementioned data,
create an ACL that will allow the user account specified by masterAccount
(in this case, uid=sjsobol, since the value of masterAccount is supposed
to match the value of an existing uid attribute) to have full control of
both entries? In other words, since masterAccount=sjsobol for both entries,
can I write an ACL that will allow uid=sjsobol,ou=users,dc=justthe,dc=net
full access to both entries?

Right now if I do an ldapsearch for masterAccount=sjsobol and I bind as
uid=sjsobol,ou=users,dc=justthe,dc=net, I only get the entry for
uid=sjsobol and not the one for uid=m-rrb, so obviously, given my current

access to attr=userPassword
        by dn="cn=Manager,dc=justthe,dc=net" write
        by self write
        by anonymous read
        by * auth

access to *
        by dn="cn=Manager,dc=justthe,dc=net" write
        by anonymous read
        by self read

uid=sjsobol does not have permission to even read uid=m-rrb's entry.

I'm curious as to whether I can do what I'm trying to do. For a certain
LDAP entry I need to give the uid specified by the masterAccount attribute
full access, and I have absolutely no clue how to do it - or even whether I


JustThe.net Internet & New Media Services, Apple Valley, CA   PGP: 0xE3AE35ED
Steven J. Sobol, Geek In Charge / 888.480.4NET (4638) / sjsobol@JustThe.net
"someone once called me a sofa, but i didn't feel compelled to rush out and buy
slip covers." -adam brower * Hiroshima '45, Chernobyl '86, Windows 98/2000/2003