[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Documentation request

To: Quanah Gibson-Mount <quanah@zimbra.com>
Subject: Re: Documentation request
From: Howard Chu <hyc@symas.com>
Date: Thu, 20 Sep 2007 20:33:07 -0700
Cc: Russ Allbery <rra@stanford.edu>, OpenLDAP Software List <openldap-software@openldap.org>
In-reply-to: <2572FD171FF164C9DAA5455C@[192.168.1.3]>
References: <1i4rd94.1euowalrp5vi2M%manu@netbsd.org> <46F2DAF6.1030307@OpenLDAP.org> <46F2DC43.3050709@symas.com> <46F2E38C.7010109@OpenLDAP.org> <87abrgx3ke.fsf_-_@windlord.stanford.edu> <46F31BB3.7030404@symas.com> <87ps0csss2.fsf@windlord.stanford.edu> <2572FD171FF164C9DAA5455C@[192.168.1.3]>
User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9a8pre) Gecko/2007091708 SeaMonkey/2.0a1pre

Quanah Gibson-Mount wrote:

--On Thursday, September 20, 2007 6:37 PM -0700 Russ Allbery <rra@stanford.edu> wrote:

Howard Chu <hyc@symas.com> writes:

So, for those of you using sets - why are they useful to you, and in what
ways are they still too limited? I personally am concerned that they are
too expensive to evaluate; if we could provide similar features using a
less general model that would be worth exploring too.

I inherited this setup, so I don't know how useful it is or if there are
better ways of expressing the same thing, but we use it for:

access to dn.children="cn=people,dc=stanford,dc=edu"
        by set.exact="this/uid & user/uid" sasl_ssf=56 read

This allows users who bind to the server to read their person entry when their binding user id matches the user id in the people tree.

I guess that makes sense. What is an example "user" in this case, does that reside under the people tree, or the accounts tree?

access to dn.children="cn=nis,dc=stanford,dc=edu"
        by set.exact="this/host & user" sasl_ssf=56 read
This was an experimental ACL for doing host based restrictions of user logins. It currently will never be used since this was never deployed. Still a cool idea though, I think. ;)

That would require your "host" attribute to use DN syntax. So presumably the user in this case is an nss_ldap proxy account...?

access to dn.children="cn=accounts,dc=stanford,dc=edu"
        by set.exact="this/uid & user/uid" sasl_ssf=56 read
        by * break
This allows users who bind to the server to read their account entry when their binding user id matches the user id in the entry in the account tree.

Don't users just bind using account entries anyway? Isn't this the same as "by self read" ? Or you're saying that there can be multiple accounts with the same uid?

Basically, the first and third acls allow Stanford users to have full read on their own data, but keeps the restrictions in place on all other peoples data in both trees.

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/

Follow-Ups:
- Re: Documentation request
  - From: Russ Allbery <rra@stanford.edu>

References:
- Re: cn=config example
  - From: manu@netbsd.org (Emmanuel Dreyfus)
- Re: cn=config example
  - From: Gavin Henry <ghenry@OpenLDAP.org>
- Re: cn=config example
  - From: Howard Chu <hyc@symas.com>
- Re: cn=config example
  - From: Gavin Henry <ghenry@OpenLDAP.org>
- Documentation request (was: Re: cn=config example)
  - From: Russ Allbery <rra@stanford.edu>
- Re: Documentation request
  - From: Howard Chu <hyc@symas.com>
- Re: Documentation request
  - From: Russ Allbery <rra@stanford.edu>
- Re: Documentation request
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: Re: cn=config example
Next by Date: Re: Documentation request
Index(es):
- Chronological
- Thread