Recursive access control for groups

["Alina Dubrovska" <alina.second@gmail.com>]

Hello,

 

We need to configure recursive access control for groups in OpenLDAP server. I will describe in details.

Currently we allow members of "System Administrator" group to modify specific attributes by defining an ACL:

 

access to attrs=employeeType,employeeNumber
        by self write
        by group/groupOfUniqueNames/uniqueMember="cn=System Administrator,ou=groups,dc=domain,dc=com" write
        by * read

 

The problem is that we need to handle also nested memberships. If some group is specified as a uniqueMember of "System Administrator" group, then access should be granted to all sub-group members and so on recursively. In the following example both users (user1 and user2) must be able to modify attributes:

 

dn: cn=System Administrator,ou=groups,dc=domain,dc=com

uniqueMember: cn=user1,ou=users,dc=domain,dc=com

uniqueMember: cn=Sub Group,ou=groups,dc=domain,dc=com

 

dn: cn=Sub Group,ou=groups,dc=domain,dc=com

uniqueMember: cn=user2,ou=users,dc=domain,dc=com

 

It should be possible to create new group, add it as uniqueMember to "System Administrator" group and then all new group members automatically must be granted access to attributes.

 

I have found the following solution, which uses Sets syntax:

 

access to attrs=employeeType,employeeNumber
        by self write
        by set="[cn=System Administrator,ou=groups,dc=domain,dc=com]/uniqueMember* & user" write
        by * read

 

At first glance it worked as expected, but then problems started to appear... We have two OpenLDAP instances and now there are two different problems.

First instance (2.3.38) - After including some group in "System Administrator" and performing some operations, then after some time OpenLDAP crashes!

Second instance (2.3.27) - OpenLDAP doesn't crash, but operations (e.g. search) are very slow (un-acceptable)!

I can provide more details if necessary.

 

So, my questions are:

1) Is ACL with subject:

by set="[cn=System Administrator,ou=groups,dc=domain,dc=com]/uniqueMember* & user" write

valid for our situation?

2) Maybe there is another way to achieve our goal (that would be easier to apply rather than investigating current problems)?

3) Could please somebody assist in problems with new configuration (crash on 1st instance and poor performance on 2nd) ?

By the way, we are using quite advanced configuration, with ppolicy, refint, unique, accesslog overlays enabled.

So probably there are dependencies or incompatibilities between them...

 

That is very urgent and critical for our project, we really need to solve this problem as soon as possible!

Please help!!!

 

Thanks a lot in advance,

Alina.