[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL in dynamic configuration

To: openldap-technical@openldap.org
Subject: ACL in dynamic configuration
From: Nick Milas <nick@eurobjects.com>
Date: Fri, 23 Dec 2011 00:23:08 +0200
User-agent: Mozilla/5.0 (Windows NT 5.1; rv:9.0) Gecko/20111220 Thunderbird/9.0

Hello,

I have converted from static (slapd.conf) to dynamic (cn=config)configuration using auto file conversion.

I would like to ask a couple of questions regarding ACL conversion. Herefollows one of the rules we have in initial form (a), and afterconversion (b):

(a)

access todn.subtree="dc=xxx.xxx.xxx.in-addr.arpa,ou=dns1,dc=example,dc=gr"attrs="children,entry"

        by group.exact="cn=TechAdmins,ou=Groups,dc=example,dc=gr" write
        by group.exact="cn=Dept1Admins,ou=Groups,dc=example,dc=gr" read
        by group.exact="cn=Dept2Admins,ou=Groups,dc=example,dc=gr" write
        by group.exact="cn=Dept3Admins,ou=Groups,dc=example,dc=gr" read
        by group.exact="cn=Dept4Admins,ou=Groups,dc=example,dc=gr" read
        by group.exact="cn=Dept5Admins,ou=Groups,dc=example,dc=gr" read
        by group.exact="cn=GuestAdmins,ou=Groups,dc=example,dc=gr" read
        by dn.exact="uid=dnsauthusr,ou=System,dc=example,dc=gr" read
        by * break

(b) as an olcAccess attribute value:

{10}todn.subtree="dc=xxx.xxx.xxx.in-addr.arpa,ou=dns1,dc=example,dc=gr"attrs=children,entry bygroup/groupOfNames/member.exact="cn=techadmins,ou=groups,dc=example,dc=gr"write bygroup/groupOfNames/member.exact="cn=Dept1Admins,ou=groups,dc=example,dc=gr"read bygroup/groupOfNames/member.exact="cn=Dept2Admins,ou=groups,dc=example,dc=gr"write bygroup/groupOfNames/member.exact="cn=Dept3Admins,ou=groups,dc=example,dc=gr"read bygroup/groupOfNames/member.exact="cn=Dept4Admins,ou=groups,dc=example,dc=gr"read bygroup/groupOfNames/member.exact="cn=Dept5Admins,ou=groups,dc=example,dc=gr"read bygroup/groupOfNames/member.exact="cn=guestadmins,ou=groups,dc=example,dc=gr"read by dn.base="uid=dnsauthusr,ou=system,dc=example,dc=gr" read by *+0 break


Question 1.

Why "group.exact" was changed to "group/groupOfNames/member.exact" ?Yes, groups are defined as entries of groupOfNames objectClass, withmembers defined as values of attribute "member". But should it be likethat? Should we change (manually) "group/groupOfNames/member.exact" backto "group.exact" again or not (and why)?


Question 2.

Is there a way we can add (manually, since conversion removed the oneswhich existed in initial configuration files) line breaks in olcAccessattribute value so it can be more legible (for administrative purposes)?


Question 3.
What is the "+0" added before "break" and why is needed?

Thanks in advance,
Nick

Follow-Ups:
- Re: ACL in dynamic configuration
  - From: Nick Milas <nick@eurobjects.com>

Prev by Date: Re: userCertificate, wrong attribute type?
Next by Date: Re: password-policy configuration problems: cannot change passwords
Index(es):
- Chronological
- Thread