[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Another ACL question about set usage

Emmanuel Dreyfus wrote:

> 1) a person must be able to modify a mailAddress when it receives mail
> from this address. This is done by an ACL clause like this (obtained
> from this mailing list)
>     by set.exact="this/mail & user/mail" write
> It works very well. That goal is fullfilled.
Looks just fine.

> 2) a user listed as a manager for an ou must be able to modify the
> persons within the ou. I've came to the following:
> access to dn.regex="uid=.+,ou=(.+),dc=example,dc=net$"
>     by set.expand="[ou=$1,dc=example,dc=net]/manager* & user" write
> That works, though it seems to be very poor on the performance front.

Not sure you need to further expand the manager (the "star" at the end
of /manager*).  Furthermore, if that's your real DN layout, you could
try something like

access to dn.regex="^uid=.+,(ou=.+,dc=example,dc=net)$"
     by set.expand="[$1]/manager & user" write

I also note that

access to dn.regex="^uid=.+,(ou=.+,dc=example,dc=net)$"
     by group/organizationalUnit/manager.expand="$1" write

should be equivalent and much more efficient (but, AFAIK,
organizationalUnit does not allow manager!).

The above says that if you treat the objectClass "organizationalUnit" as
a group, and "manager" as the group's member attribute, and the
manager's value matches the user's identity, access is granted.

> I
> tried something more simplier, such as:
>      by set.exact="this/ou/manager & user"
> or that way:
>      by set.exact="(this/ou+[,dc=example,dc=net])/manager & user"
> but it does not work, I have no idea why. I'm very curious to learn
> what's wrong here.

As far as I understand, "ou" contains the name of the
organizationalUnit, not its DN.  So set expansion does not work, because
it only acts on DNs.  Maybe something like

    by set.exact="([cn=]+this/ou+[dc=example,dc=net])/manager & user"

You see, in the last case you were almost there: all you're missing is
the [cn=]+ at the beginning of the DN.  But see my much cleaner example
above, which should be the most efficient thing you can do.

> 3) The trickiest part, for which I have no solution: a user listed as a
> manager for an ou must be able to modify the mailAddress that a user he
> can modify could modify.
> I can try to rephrase this a bit better. If I have the following
> (mailAddress, person, ou) triplet
> dn: mail=W,dc=example,dc=net
> dn: uid=X,ou=Y,dc=example.dc=net
> mail: W
> dn: ou=Y,dc=example,dc=net
> manager: Z
> I want user Z to be able to modify mailAddress W
> Here is an attempt that does not work
>    by set.exact="
>     ([uid=*,ou=] + ([manager=] + user)/ou*) + [,dc=example,dc=net])/mail
>     & this/mail" write

This seems to be hard to get.  As far as I understand:

- your final relation should be
    ANS ::= "this/mail & USERS/mail"

- where USERS is defined as
    USERS ::= "[ldap:///OUDN??one]/entryDN";

- but what's missing is how to compute OUDN from what you've got; this
should do what you need:
    OUDN ::= "([ldap:///dc=example,dc=net??one(manager=]+user+[)])/entryDN"

so performing the substitutions, and breaking up and combining literals
as appropriate

    by set.exact="this/mail &

the above should work.  Unless I missed something in your description,
of course.

Note that performances will be ugly...


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
Office:   +39.02.23998309
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it