[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs based on attributes?

Jaap Winius wrote:
Quoting Dieter Kluenter<dieter@dkluenter.de>:

this rule should do the trick:
access to dn.regex="cn=([^,]+),ou=whatsoever$"
        by set="user/title&  [telephoneManager]" write


This is what I'm using now:

     access to attrs=telephoneNumber
          by set="user/title&  [telephonemanager]" write
          by users read

This works for a user with attr title=telephonemanager. However, to
demonstrate the flexibility of this set rule...

     access to attrs=telephoneNumber
          by set="user/description&  [telephonemanager]" write
          by users read

... this works for a user with attr description=telephonemanager!

This is cool regardless, but I think my NIU-friend would say that it's
cool because this set rule allows you to give users telephonemanager
privileges without the need to maintain a telephonemanager group.

Actually, I think this solution can be improved upon significantly.
For example, what if our privileged user had this attribute:

     description: titlemanager telephonemanager addressmanager

Can a a set rule be devised to match not only users with a description
value that equals "telephonemanager", but also one that includes it in
a longer string? We would need something like:

     access to attrs=telephoneNumber
          by set="user/description&  [*telephonemanager*]" write
          by users read

Only, that doesn't work.

Is this possible?

It is unnecessary. The description attribute is multivalued, just use it correctly.

description: titlemanager
description: telephonemanager
description: addressmanager

I'll also note that using a set for this purpose is still inferior to using a dynamic group, in terms of performance. Dynamic group evaluations are cached, sets are not.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/