Re: ACL for DIT structure rules

On Mon, Dec 01, 2008 at 05:17:28PM -0400, Mansour Al Akeel wrote:

> In a previous email, I was told that we can implement *DIT* *structure* 
> rules with openldap using ACL 
> (http://www.openldap.org/lists/openldap-technical/200811/msg00152.html). 
> Did any one have any success implementing these rules with ACL. I have 
> searched the net for an example, but out of luck. Possibly a simple 
> example will help a lot, just to give me an idea about the syntax for a 
> DIT structure rule using ACL.

The basic idea is to restrict what can be created in each part of the
DIT. Suppose you have a node called cn=people,dc=example,dc=org and
you want to make sure that all nodes under it describe people. You might
write rules like this:

access to dn.exact="cn=people,dc=example,dc=org"
        by dn.exact="cn=admin,cn=people,dc=example,dc=org" write
        by * read

access to dn.onelevel="cn=people,dc=example,dc=org"
        by dn.exact="cn=admin,cn=people,dc=example,dc=org" write
        by * read

The first rule allows the admin to create entries under the
"cn=people,dc=example,dc=org" node.

The second rule says that the admin is allowed to write entries that
are exactly one level below "cn=people,dc=example,dc=org" and that
have objectClass=inetOrgPerson.

If no other rules give the admin user write permissions in this
part of the DIT then you effectively have a structure rule.
The admin only has write permission if the entry has the correct
objectclass, so they cannot add something different.

I have used rules of this sort in the past, but ITS#4556 suggests
that there are cases where they do not work. See recent discussion:
I have rules very similar to the example above which I have just
tested on 2.3.27 and they work OK.... My actual rules use regex
but I simplified them for this message.

