[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Help with ACL's

To: Tyler Gates <tjgates@castlebranch.com>
Subject: Re: Help with ACL's
From: Jonathan Clarke <jonathan@phillipoux.net>
Date: Sat, 06 Jun 2009 18:13:53 +0200
Cc: openldap-technical@openldap.org
In-reply-to: <20090605152922.2fe1daf9@ittyler.castlebranch.com>
References: <20090603082917.2ecea62a@ittyler.castlebranch.com> <4A2696A7.3060901@informatik.uni-bremen.de> <20090604082443.4c06b0bc@ittyler.castlebranch.com> <4A294723.2050004@phillipoux.net> <20090605152922.2fe1daf9@ittyler.castlebranch.com>
User-agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1pre) Gecko/20090529 Shredder/3.0b3pre

On 05/06/09 21:29, Tyler Gates wrote:

On 04.06.2009 14:24, Tyler Gates wrote:

Tyler Gates wrote:

Hello,
     I'm having a hard time setting some ACL's for my particular setup. I
have a structure as follows: dn: uid=*,ou=people,dc=example,dc=com #
uid contains several unix/linux user ids dn:
cn=*,ou=groups,dc=example,dc=com # cn contains several unix/linux
groups. uid's (not the complete dn) are supplied to the memberUid fields

What I would like to do is place an organizationalRole in each group
and have ACL's setup so that it's uniqueMembers have access to certain
attrs (say for example sn) for the uid's (which correspond to those in
ou=people) specified in the memberUid fields of the group in which the
organizationalRole is placed.

psuedo code would be something as follows:

access to
group/posixAccount/memberUid.regex("cn=(.*),ou=groups,dc=example,dc=com")
attrs sn by
group/organizationalRole/uniqueMembers/.regex("cn=admin,cn=$1,ou=groups,dc=example,dc=com")
write

Thanks,
      Tyler


Hi,

you can use sets for this:

      access to dn.regex="^(cn=[^,]+,ou=groups,dc=example,dc=com)$"
      attrs="sn"
         by set.expand="[cn=admin,$1]/memberUid&   user/uid" write


Regards,
Christian



Hi Christian,
      I think I get the set's but that ACL doesn't work, and I'm not sure
if regex's or set's will even do the job. A conditional statement if
possible may be the only way.  Again I'm looking for members of an
organizational role
(cn=admin,cn=groupname,ou=group,dc=example,dc=com) placed in a group
(cn=groupname,ou=group,dc=example,dc=com) to be able to access ONLY the
people listed in that group
(group/OrganizationalRole/memberUid((cn=groupname,ou=group,dc=example,dc=com))
and nobody else. The people listed in that group are the memberUid and
should match up to the complete dn as defined in
uid=<memberUid>,ou=people,dc=example,dc=com.


Hi,

You can use ACL sets to do this, as follows. I have adapted the example
to use organizationalRole's roleOccupant attribute, instead of memberUid.

access to dn.children="ou=people,dc=my-domain,dc=com" attrs=sn,entry
          by
set="((([ldap:///ou=group,dc=my-domain,dc=com??sub?(&(objectclass=organizationalRole)(cn=admin)(roleOccupant=]
+ user/entryDN + [))])/entryDN)/-1)/memberUid&  this/uid" read

Quick description:
1) Find all entries under "ou=group,dc=my-domain,dc=com" that match the
filter
"(&(objectclass=organizationalRole)(cn=admin)(roleOccupant=<current
user's DN>", and get their DN ("/entryDN") - this is all the admin
groups the current user is a member of.
2) For each of them, go up one level ("/-1"), thus getting the group
that they are an admin of.
3) Get the memberUid attributes of this group ("/memberUid")
4) Match them with the uid of the object we're trying to read.

See http://www.openldap.org/faq/data/cache/1133.html for more info on
sets syntax.

Of course, for this to work, you must allow auth access to the admin
user accounts, and search access to objects in ou=People.

Regards,
Jonathan
--
--------------------------------------------------------------
Jonathan Clarke - jonathan@phillipoux.net
--------------------------------------------------------------
Ldap Synchronization Connector (LSC) - http://lsc-project.org
--------------------------------------------------------------


Holy hell, that works perfect! Thanks so much Jonathan!


No problem :)

But could you help me understand a portion of it a little better?
+ user/entryDN + [))])/entryDN)
The way I'm reading the set, that particular chunk seems unneeded
because the dn should already be expanded and ready for memberUid to be
stripped out by the remaining chunk.
Does it mean process each roleOccupant? And Why the '[))]'.

As you can see from the syntax, we're building up a ldap search URLhere, of the form


ldap:///<base>?<attrs>?<scope>?<filter>

So we have:
- base = ou=group,dc=my-domain,dc=com
- attrs = nothing
- scope = sub
- filter = (&(objectclass=organizationalRole)(cn=admin)(roleOccupant=DN))

The "[" and "]" operators indicate string literals.
The "+" operator concatenates strings.

So to build up the URL, we take the first part, concatenate"user/entryDN" and then concatenate the end of the filter "))".

However, the syntax in sets to perform a search is the following, asdescribed in the FAQ page:

[ldap:///<base>?<attrs>?<scope>?<filter>]/<attr>

In other words, the search is only performed if a "/<attr>" is found atthe end of the URL. This is why I add "/entryDN" after building up thesearch URL.

Last but not least, this does work for *all* groups the user is part of,since as sets' name indicated, they work on groups of elements. Thisworks for one or many elements, and only for 0 will it refuse access.


Hope this clears some things up...

Jonathan

Follow-Ups:
- Re: Help with ACL's
  - From: Tyler Gates <tjgates@castlebranch.com>

References:
- Help with ACL's
  - From: Tyler Gates <tjgates@castlebranch.com>
- Re: Help with ACL's
  - From: Christian Manal <moenoel@informatik.uni-bremen.de>
- Re: Help with ACL's
  - From: Tyler Gates <tjgates@castlebranch.com>
- Re: Help with ACL's
  - From: Jonathan Clarke <jonathan@phillipoux.net>
- Re: Help with ACL's
  - From: Tyler Gates <tjgates@castlebranch.com>

Prev by Date: Re: Help with ACL's
Next by Date: Re: slapcat unable to make ldif file with size > 2GB
Index(es):
- Chronological
- Thread