[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Another ACL question about set usage
Emmanuel Dreyfus wrote:
> 1) a person must be able to modify a mailAddress when it receives mail
> from this address. This is done by an ACL clause like this (obtained
> from this mailing list)
> by set.exact="this/mail & user/mail" write
> It works very well. That goal is fullfilled.
Looks just fine.
> 2) a user listed as a manager for an ou must be able to modify the
> persons within the ou. I've came to the following:
>
> access to dn.regex="uid=.+,ou=(.+),dc=example,dc=net$"
> by set.expand="[ou=$1,dc=example,dc=net]/manager* & user" write
>
> That works, though it seems to be very poor on the performance front.
Not sure you need to further expand the manager (the "star" at the end
of /manager*). Furthermore, if that's your real DN layout, you could
try something like
access to dn.regex="^uid=.+,(ou=.+,dc=example,dc=net)$"
by set.expand="[$1]/manager & user" write
I also note that
access to dn.regex="^uid=.+,(ou=.+,dc=example,dc=net)$"
by group/organizationalUnit/manager.expand="$1" write
should be equivalent and much more efficient (but, AFAIK,
organizationalUnit does not allow manager!).
The above says that if you treat the objectClass "organizationalUnit" as
a group, and "manager" as the group's member attribute, and the
manager's value matches the user's identity, access is granted.
> I
> tried something more simplier, such as:
> by set.exact="this/ou/manager & user"
> or that way:
> by set.exact="(this/ou+[,dc=example,dc=net])/manager & user"
> but it does not work, I have no idea why. I'm very curious to learn
> what's wrong here.
As far as I understand, "ou" contains the name of the
organizationalUnit, not its DN. So set expansion does not work, because
it only acts on DNs. Maybe something like
by set.exact="([cn=]+this/ou+[dc=example,dc=net])/manager & user"
You see, in the last case you were almost there: all you're missing is
the [cn=]+ at the beginning of the DN. But see my much cleaner example
above, which should be the most efficient thing you can do.
>
> 3) The trickiest part, for which I have no solution: a user listed as a
> manager for an ou must be able to modify the mailAddress that a user he
> can modify could modify.
>
> I can try to rephrase this a bit better. If I have the following
> (mailAddress, person, ou) triplet
> dn: mail=W,dc=example,dc=net
>
> dn: uid=X,ou=Y,dc=example.dc=net
> mail: W
>
> dn: ou=Y,dc=example,dc=net
> manager: Z
>
> I want user Z to be able to modify mailAddress W
>
> Here is an attempt that does not work
> by set.exact="
> ([uid=*,ou=] + ([manager=] + user)/ou*) + [,dc=example,dc=net])/mail
> & this/mail" write
This seems to be hard to get. As far as I understand:
- your final relation should be
ANS ::= "this/mail & USERS/mail"
- where USERS is defined as
USERS ::= "[ldap:///OUDN??one]/entryDN";
- but what's missing is how to compute OUDN from what you've got; this
should do what you need:
OUDN ::= "([ldap:///dc=example,dc=net??one(manager=]+user+[)])/entryDN"
so performing the substitutions, and breaking up and combining literals
as appropriate
by set.exact="this/mail &
([ldap:///]+([ldap:///dc=example,dc=net??one(manager=]+user+[)])/entryDN+[??one]/entryDN)/mail"
the above should work. Unless I missed something in your description,
of course.
Note that performances will be ugly...
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office: +39.02.23998309
Mobile: +39.333.4963172
Email: pierangelo.masarati@sys-net.it
------------------------------------------