[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: regex in group ACL


your mail was very useful to understand what's going on.  I think there
might be a solution with either 2.1 or 2.2, and recent improvements in
HEAD will make it even more efficient, provided it matches your
requirements.  There is still something I need to understand from your
mail; see below.

> # Entry 3:
> dn:cn=exampleSSOStorageV2,uid=denis,ou=Users,dc=example,dc=local
versionNumber: 2
> cn: exampleSSOStorageV2
> objectClass: exampleSSOStorage

1.a) Is there a __finite__ set of account RDNs?  I mean,
"exampleSSOStorageV2", "accountX" and so, but a limited, well defined
number of types, which are known at configure time, so they can be
enumerated in ACLs?
1.b) Or do they change and grow at run-time?
1.c) Furthermore, do users have children that are not accounts?
1.d) Or do accounts have children that are not delegations?

> As you can see, the accounts objects are stored as exampleSSOAccount
objectClass entries, under an object of class exampleSSOStorage. The
delegation objects are of class exampleSSOAccountDelegation

>> 4) Is the delegation's DN the identity you want to give access rights
for the user's entry?
> Probably due to the fact that English is not my natural language, I
don't understand you.

.. or I need to reword my question :)

> But I think my LDIF export will be a good explanation.
> In this case, the access right rule would be :
> access to
> dn="cn=W02222226CAPP36UMM4SA4JUG6JURRUVWZ2222222222222222,cn=exampleSSOStorageV2,uid=denis,ou=Users,dc=example,dc=local"
>     by dn="uid=francois,ou=Tests FB,dc=example,dc=local" read
> Indeed, I want a more generic rule :) and since "uid=francois,ou=Tests
FB,dc=example,dc=local" is stored in the exampleSSOAccountDelegation
object through its exampleUserEntityObject attribute :
> access to
> dn="cn=W02222226CAPP36UMM4SA4JUG6JURRUVWZ2222222222222222,cn=exampleSSOStorageV2,uid=denis,ou=Users,dc=example,dc=local"
>     by
> group="cn=dc0d0c04-a7f4-1028-9b7a-c1ad53990353,cn=W02222226CAPP36UMM4SA4JUG6JURRUVWZ2222222222222222,cn=exampleSSOStorageV2,uid=denis,ou=Users,dc=example,dc=local"
> (Where 'group' has to be replaced with
> 'group/exampleSSOAccountDelegation/exampleUserEntityObject')
> But here it only works for one account of one user, so the very generic
rule would be :
> access to filter="(objectClass=exampleSSOAccount)" dn.regex="(.*)"
>     by group.regex="(.*),$1" read
> But this doesn't work (see my previous posts)
> Important precision : *One delegation object is created of each user
which the account is delegated to*. So there can be several
> exampleSSOAccountDelegation objects under one exampleSSOAccount object.
And there is only one value of exampleUserEntityObject in a
> exampleSSOAccountDelegation  entry.
> So maybe I could find a way with dnattr... but I don't find one

Initially, I thought your intention was to give __delegation__ access to
the ___user__ entry, so in a rule

access to <what>
  by <who> <rights>

the <what> is __user__ and the <who> is __delegation__

In this case you can do

access to dn.regex="^uid=([^,]+),ou=Tests FB,dc=example,dc=local$"

The DN in the <who> clause, as opposed to groups, __IS__ evaluated as a

But now I seem to realize that you want to do the opposite, i.e. give
__user__ access to the __delegation__ entry, so in a rule

access to <what>
  by <who> <rights>

the <what> is __delegation__ and the <who> is __user__

In this case you can do (2.2)

access to dn.regex="^cn=[^,]+,cn=[^,],uid=([^,]+),ou=Tests
        by dn.exact,expand="uid=$1,ou=Users,dc=example,dc=local" <access>

or (2.1)

access to dn.regex="^cn=[^,]+,cn=[^,],uid=([^,]+),ou=Tests
        by dn.regex="^uid=$1,ou=Users,dc=example,dc=local$" <access>

Of course these rules do not have granularity on the account or on the
delegation (everything whose RDN has "cn" as naming attribute is fine) but
I assume that's what you want.  In the latter case you can narrow the
selection by adding a filter on the objectClass of the delegation.

Hope it helps.


Pierangelo Masarati

    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497