[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Concerns with OLC (cn=config) for editing schema, ACLs, and deleting entries



Nick Milas wrote:
> On 22/3/2012 3:56 ÎÎ, Nick Milas wrote:
> > On 22/3/2012 2:20 ÎÎ, btb wrote:
> >> i press the enter key on my keyboard
> > 
> > Thanks,
> > 
> > Interestingly, I found that the same is also possible with
> > JXPlorer.
> > 
> > ACLs can be formatted like that and they remain formated. They also
> > function without problems.
> 
> Hi,
> 
> I am returning to an older thread, regarding the formatting of ACLs
> using Carriage Return (CRs) and spaces.
> 
> I have just realized that if we format (using CRs) ACLs stored as
> olcAccess attr values, then they are exported/stored as ldif in
> base64 encoded format (by all clients I tried).
> 
> Here is an example:
> 
> olcAccess: {25}to dn.subtree="ou=dns1,dc=noa,dc=gr"  by
> group/groupOfNames/member.exact="cn=techadmins,ou=groups,dc=noa,dc=gr
> " write  by
> group/groupOfNames/member.exact="cn=spaceadmins,ou=groups,dc=noa,dc=g
> r" read  by
> group/groupOfNames/member.exact="cn=astroadmins,ou=groups,dc=noa,dc=g
> r" read  by
> group/groupOfNames/member.exact="cn=geinadmins,ou=groups,dc=noa,dc=gr
> " read  by
> group/groupOfNames/member.exact="cn=meteoadmins,ou=groups,dc=noa,dc=g
> r" read  by
> group/groupOfNames/member.exact="cn=nestoradmins,ou=groups,dc=noa,dc=
> gr" read  by
> group/groupOfNames/member.exact="cn=guestadmins,ou=groups,dc=noa,dc=g
> r" read  by dn.base="uid=dnsauthusr,ou=system,dc=noa,dc=gr" read
> olcAccess::
> ezI2fXRvIGRuLnN1YnRyZWU9Im91PWtyYmNvbnRhaW5lcixkYz1ub2EsZGM9Z3Ii
>  
> ICBhdHRycz1jaGlsZHJlbixlbnRyeQogICBieSBkbi5iYXNlPSJ1aWQ9ZG5zYXV0aHVz
> cixvdT1
> zeXN0ZW0sZGM9bm9hLGRjPWdyIiBub25lICAKICAgYnkgZ3JvdXAvZ3JvdXBPZk5hbWV
> zL21lbW
> Jlci5leGFjdD0iY249dGVjaGFkbWlucyxvdT1ncm91cHMsZGM9bm9hLGRjPWdyIiB3cm
> l0ZSAgC
> iAgIGJ5IGdyb3VwL2dyb3VwT2ZOYW1lcy9tZW1iZXIuZXhhY3Q9ImNuPXNwYWNlYWRta
> W5zLG91
> PWdyb3VwcyxkYz1ub2EsZGM9Z3IiIHJlYWQgIAogICBieSBncm91cC9ncm91cE9mTmFt
> ZXMvbWV
> tYmVyLmV4YWN0PSJjbj1hc3Ryb2FkbWlucyxvdT1ncm91cHMsZGM9bm9hLGRjPWdyIiB
> yZWFkIC
> AKICAgYnkgZ3JvdXAvZ3JvdXBPZk5hbWVzL21lbWJlci5leGFjdD0iY249Z2VpbmFkbW
> lucyxvd
> T1ncm91cHMsZGM9bm9hLGRjPWdyIiByZWFkICAKICAgYnkgZ3JvdXAvZ3JvdXBPZk5hb
> WVzL21l
> bWJlci5leGFjdD0iY249bWV0ZW9hZG1pbnMsb3U9Z3JvdXBzLGRjPW5vYSxkYz1nciIg
> cmVhZCA
> gCiAgIGJ5IGdyb3VwL2dyb3VwT2ZOYW1lcy9tZW1iZXIuZXhhY3Q9ImNuPW5lc3RvcmF
> kbWlucy
> xvdT1ncm91cHMsZGM9bm9hLGRjPWdyIiByZWFkICAKICAgYnkgZ3JvdXAvZ3JvdXBPZk
> 5hbWVzL
> 21lbWJlci5leGFjdD0iY249Z3Vlc3RhZG1pbnMsb3U9Z3JvdXBzLGRjPW5vYSxkYz1nc
> iIgcmVh
> ZCAgCiAgIGJ5IGRuLmJhc2U9InVpZD1hdXRoZW50aWNhdGUsb3U9c3lzdGVtLGRjPW5v
> YSxkYz1
> nciIgcmVhZCAgCiAgIGJ5IGRuLmJhc2U9InVpZD1sb2dpbmF1dGhiaW5kLG91PXN5c3R
> lbSxkYz
> 1ub2EsZGM9Z3IiIHJlYWQgIAogICBieSBkbi5iYXNlPSJ1aWQ9a2RjLXNlcnZpY2Usb3
> U9c3lzd
> GVtLGRjPW5vYSxkYz1nciIgcmVhZCAgCiAgIGJ5IGRuLmJhc2U9InVpZD1rcmItYWRtL
> XNlcnZp
> Y2Usb3U9c3lzdGVtLGRjPW5vYSxkYz1nciIgd3JpdGUgIAogICBieSAqICswIGJyZWFr
> 
> The former, ACL #25, was not formatted and is exported OK. However,
> the latter should be #26 and the actual value is as follows (copied
> from the GUI):
> 
> {26}to dn.subtree="ou=krbcontainer,dc=noa,dc=gr" 
> attrs=children,entry by
> dn.base="uid=dnsauthusr,ou=system,dc=noa,dc=gr" none
>     by
> group/groupOfNames/member.exact="cn=techadmins,ou=groups,dc=noa,dc=gr
> " write
>     by
> group/groupOfNames/member.exact="cn=spaceadmins,ou=groups,dc=noa,dc=g
> r" read
>     by
> group/groupOfNames/member.exact="cn=astroadmins,ou=groups,dc=noa,dc=g
> r" read
>     by
> group/groupOfNames/member.exact="cn=geinadmins,ou=groups,dc=noa,dc=gr
> " read by
> group/groupOfNames/member.exact="cn=meteoadmins,ou=groups,dc=noa,dc=g
> r" read
>     by
> group/groupOfNames/member.exact="cn=nestoradmins,ou=groups,dc=noa,dc=
> gr" read
>     by
> group/groupOfNames/member.exact="cn=guestadmins,ou=groups,dc=noa,dc=g
> r" read
>     by dn.base="uid=authenticate,ou=system,dc=noa,dc=gr" read
>     by dn.base="uid=loginauthbind,ou=system,dc=noa,dc=gr" read
>     by dn.base="uid=kdc-service,ou=system,dc=noa,dc=gr" read
>     by dn.base="uid=krb-adm-service,ou=system,dc=noa,dc=gr" write
>     by * +0 break
> 
> This actually is causing a serious problem (I would even call it a
> "*hell situation*"), because we can no more export/view our ACLs as
> ldif in a legible form. Moreover, we cannot edit this exported ldif
> and import it back to cover several editing needs.
I am pretty sure, that after you have added the '\n' you have broken
the ldiff format. You may try '\n '.
> 
> Questions:
> 1. Is there a way we can export ldif, while automatically removing
> such formatting so that the ldif content is legible/editable as
> normal text?
Best is you don't add additional characters. Here is a script to fix
the output. It is based on what and how you have posted to this list.
I have disabled "line breaks" in my mailer.


# t=$(echo "ezI2fXRvIGRuLnN1YnRyZWU9Im91PWtyYmNvbnRhaW5lcixkYz1ub2EsZGM9Z3Ii
  ICBhdHRycz1jaGlsZHJlbixlbnRyeQogICBieSBkbi5iYXNlPSJ1aWQ9ZG5zYXV0aHVzcixvdT1
  zeXN0ZW0sZGM9bm9hLGRjPWdyIiBub25lICAKICAgYnkgZ3JvdXAvZ3JvdXBPZk5hbWVzL21lbW
  Jlci5leGFjdD0iY249dGVjaGFkbWlucyxvdT1ncm91cHMsZGM9bm9hLGRjPWdyIiB3cml0ZSAgC
  iAgIGJ5IGdyb3VwL2dyb3VwT2ZOYW1lcy9tZW1iZXIuZXhhY3Q9ImNuPXNwYWNlYWRtaW5zLG91
  PWdyb3VwcyxkYz1ub2EsZGM9Z3IiIHJlYWQgIAogICBieSBncm91cC9ncm91cE9mTmFtZXMvbWV
  tYmVyLmV4YWN0PSJjbj1hc3Ryb2FkbWlucyxvdT1ncm91cHMsZGM9bm9hLGRjPWdyIiByZWFkIC
  AKICAgYnkgZ3JvdXAvZ3JvdXBPZk5hbWVzL21lbWJlci5leGFjdD0iY249Z2VpbmFkbWlucyxvd
  T1ncm91cHMsZGM9bm9hLGRjPWdyIiByZWFkICAKICAgYnkgZ3JvdXAvZ3JvdXBPZk5hbWVzL21l
  bWJlci5leGFjdD0iY249bWV0ZW9hZG1pbnMsb3U9Z3JvdXBzLGRjPW5vYSxkYz1nciIgcmVhZCA
  gCiAgIGJ5IGdyb3VwL2dyb3VwT2ZOYW1lcy9tZW1iZXIuZXhhY3Q9ImNuPW5lc3RvcmFkbWlucy
  xvdT1ncm91cHMsZGM9bm9hLGRjPWdyIiByZWFkICAKICAgYnkgZ3JvdXAvZ3JvdXBPZk5hbWVzL
  21lbWJlci5leGFjdD0iY249Z3Vlc3RhZG1pbnMsb3U9Z3JvdXBzLGRjPW5vYSxkYz1nciIgcmVh
  ZCAgCiAgIGJ5IGRuLmJhc2U9InVpZD1hdXRoZW50aWNhdGUsb3U9c3lzdGVtLGRjPW5vYSxkYz1
  nciIgcmVhZCAgCiAgIGJ5IGRuLmJhc2U9InVpZD1sb2dpbmF1dGhiaW5kLG91PXN5c3RlbSxkYz
  1ub2EsZGM9Z3IiIHJlYWQgIAogICBieSBkbi5iYXNlPSJ1aWQ9a2RjLXNlcnZpY2Usb3U9c3lzd
  GVtLGRjPW5vYSxkYz1nciIgcmVhZCAgCiAgIGJ5IGRuLmJhc2U9InVpZD1rcmItYWRtLXNlcnZp
  Y2Usb3U9c3lzdGVtLGRjPW5vYSxkYz1nciIgd3JpdGUgIAogICBieSAqICswIGJyZWFr" |fmt_olcAccess |sed -ne 's/ 
//g;p'|base64 -d); echo "$t"|fmt_olcAccess 

{26}to dn.subtree="ou=krbcontainer,dc=noa,dc=gr"  attrs=children,entry
  by dn.base="uid=dnsauthusr,ou=system,dc=noa,dc=gr" none
  by group/groupOfNames/member.exact="cn=techadmins,ou=groups,dc=noa,dc=gr" write
  by group/groupOfNames/member.exact="cn=spaceadmins,ou=groups,dc=noa,dc=gr" read
  by group/groupOfNames/member.exact="cn=astroadmins,ou=groups,dc=noa,dc=gr" read
  by group/groupOfNames/member.exact="cn=geinadmins,ou=groups,dc=noa,dc=gr" read
  by group/groupOfNames/member.exact="cn=meteoadmins,ou=groups,dc=noa,dc=gr" read
  by group/groupOfNames/member.exact="cn=nestoradmins,ou=groups,dc=noa,dc=gr" read
  by group/groupOfNames/member.exact="cn=guestadmins,ou=groups,dc=noa,dc=gr" read
  by dn.base="uid=authenticate,ou=system,dc=noa,dc=gr" read
  by dn.base="uid=loginauthbind,ou=system,dc=noa,dc=gr" read
  by dn.base="uid=kdc-service,ou=system,dc=noa,dc=gr" read
  by dn.base="uid=krb-adm-service,ou=system,dc=noa,dc=gr" write
  by * +0 break


> 2. Is there a way (some command) to automatically
> remove all CRs wherever they exist in olcAccess values, to avoid
> editing one by one (in order to remove all CRs)?
> 
> [Note: I have indications (though I have not tested sufficiently)
> that Apache Directory Studio may have problems in handling correctly
> ACL modifications when some of the olcAccess values are formatted as
> above. In one case I totally lost inexplicably all ACLs numbered
> higher than the olcAccess value I was editing. Just a word of
> caution, although I don't have enough test data at this time.]
Don't use tools for ACL-editing that don't work as expected. I use my self
written sed-filter to beautify olcAccess lines.

# cat $(which fmt_olcAccess)

#!/bin/sed -rf
# Author: Harry Jede
# produce human readable but still machine parseable
# olcAccess lines and removes the ordering numbers in {}
# because humans don't need them, really.

# disable next line, if you like the numbering
s/^(olcAccess: )\{[[:digit:]]+\}(.*$)/\1\2/
$!{H;d}
# add more spaces after the second "\n"  to have a greater indend
# TWO spaces is the minimum for correct ldif format
${H;g;s/\n //g;s/[[:space:]]+by /\n  by /g}


This script does not delete any additional characters.


> Please advise!
> 
> Thanks,
> Nick


-- 

Harry Jede