[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs on OUs and their children/leaves

Markus Wernig wrote:

I can't find an indication of what version of the software you're using, so helping you might be a problem because ACLs have been evolving quite a bit.

This seems clear, so far. What I'm not getting into my head is: how to
set ACLs on group-{1:n} in such a way that only those who bind to the
server with a DN of "ou=group-{X},ou=users,dc=domain,dc=tld" and the
userPassword set for group-{X} can read/write the entries
(inetorgPerson) in that OU. The problem is that there is no real naming
convention for the groups (not regex-able),

??? see below.

and that they tend to be rather dynamic. Plus: There's no way of retricting access to certain, static names that I could predefine in an ACL, so I think I need a dynamic approach.

I've tried the following (in slapd.conf), which generates a slapd
startup error and failure:
# ACLs
access to attrs=userPassword
~        by self write
~        by * auth

access to *
~        by self write
~        by users search

access to dn.sub="ou=users,dc=domain,dc=tld"
~       by dnattr="ou" write

This is wrong because, as the name says, you need to set "dnattr" to an attribute that is DN-valued (or nameAndOptionalUID-valued, like uniqueMember). The solution to your problem is:

access to dn.regex="(.+,)?(ou=[^,]+,ou=users,dc=domain,dc=tld)$"
   by dn.exact,expand="$2" write

i.e. grab the terminal portion of the DN and use it to compare with the identity of the operation.


access to dn.regex="(.+,)?(ou=[^,]+,ou=users,dc=domain,dc=tld)$"
   by dn.regex="^$2$$" write

with older versions of the software.


   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497