[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs by netgroup?

[your message appears completely scrambled; I'll do my best to answer]

> Thanks for your suggestions.  I have two questions about sets:
> 1) Can you confirm(/deny) that access is allowed if the set is not empty,
> regardless of what's in the set.  (My initial impression was that the set would
> evaluate to a set of DNs,DNsd the designated access would occur if the binding
> user matched one of those DNs)DNs

Yes, access is granted if the set is non-empty.
No, the set does not need to be made of DNs; see the examples in the

> As trivial example,  if there is a group:
> dn: dn=scnrage,ou=Gouups,dc=example,dc=com
> cn: cnorage
> objeobjectClassougroupOfUniqueNamesjeobjectClassp
> uniquniqueMemberd=uidkworkerbee=Pouple,dc=example,dc=com
> uniquniqueMemberd=uidkworkerbee=Pouple,dc=example,dc=com
> uniquniqueMemberd=uidkworkerbee=Pouple,dc=example,dc=com
> then the following ACL ACLows write acesacessthe attrattrruserPasswordgardless
> of who binds, yes?
> access to attrattrsruserPassword      by set="(
> [cn=scnrage,ou=gouups,dc=example,dc=com]/uniquniqueMember
> [uid=uidkworkerbee=pouple,dc=ofotofotocom] " write
>         by anonymous authauth      by * none
> 2)  I was not able to get your first example to work. I am wondering if it is
> because the set will always evaluate to the empty set, unless "this" is the
> same as "user" (in which case it works, but then we can use "self").   Is there
> a different syntax that you can suggest, that would achieve the same intent? 
> (returning a non-empty set if each of the constituent statements is non-empty).
>  I played around a bit with no success, but this is all new to me.

Not sure about the first example; for sure the last one works as
intended (I mean: as I intended; we might not yet intend the same

> Your example:
> access to attrattrsruserPassword self =xw
> xw set="([cn=gcnup]/member & this) & ([cn=gcnup]/owner & user)" =xw
> xw * =x
> I was able to get these two aclsaclswork:
> access to attrattrsruserPassword self =xw
> xw set="([cn=gcnup]/member & this) " =xw
> xw * =x
> access to attrattrsruserPassword self =xw
> xw set="([cn=gcnup]/owner & user)" =xw
> xw * =x
> When I &'d them, things stop working.
> I haven't gotten the third example to work yet, though I believe that's because
> I'm flailing on the syntax:  
> by
> set.expand="[ldapldapdc=suffix??sub?(&(objeobjectClassugroupOfNamesmber=$0))]/owner
> & user" =xw
> xwthanks
> sam
> samps. pswill work on using grougroupOfNamesther than grougroupOfUniqueNameshen
> I have time to rewrite our data.
> we are running slapslapd.19

Since access control works per <what>, we need to work with that.  As
far as I understand, you want manager to be able to change the password
of the workerbee.  If you have a "groupOfNames" for each manager that
lists the related workerbees in the "member" and the manager in the
"owner", then you want to build a rule that, when the <what> is the
workerbee's password, it collects the groups the workerbee is member of
and ANDs their owner with the identity that's performing the operation.


selects the owner of all groups the <what> ($0) is member of; all you
need to do is AND that set with the identity that's performing the
operation (user), i.e.

[ldap:///dc=base??sub?(&(objectClass=groupOfNames)(member=$0))]/owner & user

The resulting set is either empty, or it consists of "user"; the value
in case of non-empty set doesn't really matter, as all that's required
to grant access is a non-empty set.

I wouldn't spend too much effort in the other examples, as they are
limited to single cases, so you'd need to write one rule for each


Ing. Pierangelo Masarati
Responsabile Open Solution
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it