On Mon, Dec 01, 2008 at 05:17:28PM -0400, Mansour Al Akeel wrote:
In a previous email, I was told that we can implement *DIT* *structure* rules with openldap using ACL (http://www.openldap.org/lists/openldap-technical/200811/msg00152.html). Did any one have any success implementing these rules with ACL. I have searched the net for an example, but out of luck. Possibly a simple example will help a lot, just to give me an idea about the syntax for a DIT structure rule using ACL.
The basic idea is to restrict what can be created in each part of the DIT. Suppose you have a node called cn=people,dc=example,dc=org and you want to make sure that all nodes under it describe people. You might write rules like this:
access to dn.exact="cn=people,dc=example,dc=org" attrs=children by dn.exact="cn=admin,cn=people,dc=example,dc=org" write by * read
access to dn.onelevel="cn=people,dc=example,dc=org" filter="(objectClass=inetOrgPerson)" by dn.exact="cn=admin,cn=people,dc=example,dc=org" write by * read
The first rule allows the admin to create entries under the "cn=people,dc=example,dc=org" node.
The second rule says that the admin is allowed to write entries that are exactly one level below "cn=people,dc=example,dc=org" and that have objectClass=inetOrgPerson.
If no other rules give the admin user write permissions in this part of the DIT then you effectively have a structure rule. The admin only has write permission if the entry has the correct objectclass, so they cannot add something different.
I have used rules of this sort in the past, but ITS#4556 suggests that there are cases where they do not work. See recent discussion: http://www.openldap.org/lists/openldap-devel/200811/msg00014.html I have rules very similar to the example above which I have just tested on 2.3.27 and they work OK.... My actual rules use regex but I simplified them for this message.
Andrew