[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: regex in group ACL

Ok, now I can explain my whole access control problem :

In my directory (OpenLDAP of course), under each user, I store objects representing an account in a given application. This account contains a login and a password and is used to open a session in the application. I wrote the access control rules which give each user special rights on its objects (the ones under its own entry).

But know I want sometimes (understand : at run time, so no rule in configuration file) to give somebody else access right on an account object under a given user.
I did not designed the data model, and did not write the whole software (which is originally wrote to work with Active Directory), and currently when such an operation is made, an object of class delegation is created under the account object, and this object contains the DN of the user to which the right is given.
So under an object of class account, there is one object of class delegation for each user who can use the account.

|    \--account
|            \------delegation2
|            \------delegation3
|            \------delegation4

Now, I want to write generic rules in slapd.conf that gives the concrete access rights on the account to the users referenced in the delegation objects under it, so the access rights are automatic when a delegation operation is done

My first idea was to consider the delegation objects as groups, and use such an access rule, which I found very simple and clear for such a complex behavior :

access to filter="objectClass=account" dn="(.*)"
   by group/delegation/delegatedUserDN.regex=".*,$1" read

(I use 'regex' or 'expand' depending on the version of OpenLDAP the customer use)

so every object of class delegation located under an account object automatically give access on the account object to the user DN referenced in its attribute delegatedUserDN.

But, too bad for me, one can't use wildcards in a group.regex expression.

What can I do to solve my problem ?

Thank you very much to every one who reached this point of my post :-)