[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Tricky ACL

Kasundra, Digant wrote:

I'm trying to figure out how to do a particularly tricky ACL. Basically, I have a People branch and an Account branch. The people branch has an attribute per entry called accountName which is the UID of their account in the account branch (the uid forms the dn of the account branch but the accountName attribute is just the uid, not the full dn). People bind to the directory using their account entry, not their person entry. I want to create an ACL such that a person bound to an account can read attributes associated with their person account. I tried the following but slapd complained:

access to dn.subtree="cn=people,dc=uta,dc=edu"
attrs="entry,someAttribute,accountName val=$1"
by dn.regex="uid=(.*),cn=accounts,dc=uta,dc=edu" peername.regex="129.107.*" read

When I did this, it would complain of unknown attribute "accountName val=$1".

Is what I am trying to do even possible?

You don't say what version you're using; this may impact the availability of certain ACLs. For HEAD code, which should be relatively similar to 2.2.17 in this field, the slapd.access(5) man page documents the "val" option for attributeType qualification; it says
attrs=<attr> val[.<style>]=<attrval>
which means that only one attribute type must be present ("<attr>"); it doesn't mention submatch (from DN?) expansion, and I'm pretty sure the code doesn't do that. What you want to do can be obtained by using

access to dn.subtree="cn=people,dc=uta,dc=edu"
   by set.exact="this/accountName & user/uid" read

Of course you may need more rules to make sure that "user" actually is an account.


   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497