[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL entry creation restricted to objectClass



> Hi,
>
> is it possible to restrict the creation of an entry to a specific
> objectClass? If so, any hint or assistance would be very welcome.
>
> Thank you very much!
>
> Background information follows here:
>
> The attrs "@person" within the following acl statement seems to have no
> effect (during creation). It seems to me attrs=entry already is granting
> access to "all values" (of all kind of attributes?):

@<objectClass name> is a shortcut for "all attributes required/allowed by
objectClass 'name'".  In order to restrict access to specific values of
the objectClass attribute you need to use the form

access to attrs=objectClass val=person
   ...

p.

>
> -----------------------
> #slapd version: HEAD (also REL_ENG_2_4)
>
> -----------------------
> #acl:
> access to dn.base="dc=example,dc=org" attrs=children
>   by users write
>
> access to dn.one="dc=example,dc=org" attrs=entry,@person
>   by users write
>   by anonymous auth
>
> -----------------------
> #ldapmodify -x -H "ldap://localhost:333/"; -D "uid=user,dc=example,dc=org"
> -w user -f /tmp/example_operation.ldif
>
> -----------------------
> #/tmp/example_operation.ldif:
>
> #add a person entry:
> dn: cn=hello,dc=example,dc=org
> changetype: add
> objectClass: person
> objectClass: top
> cn: hello
> sn: hello
> userPassword: hello
>
> #add an account entry:
> dn: cn=world,dc=example,dc=org
> changetype: add
> objectClass: device
> objectClass: top
> cn:world
> serialNumber: 1
>
> #both operation do succeed, see log below
>
> -----------------------
> #log (level 128):
> 5050a940 => access_allowed: result not in cache (userPassword)
> 5050a940 => access_allowed: auth access to "uid=user,dc=example,dc=org"
> "userPassword" requested
> 5050a940 => dn: [1] dc=example,dc=org
> 5050a940 => dn: [2] dc=example,dc=org
> 5050a940 => acl_get: [2] matched
> 5050a940 => acl_get: [2] attr userPassword
> 5050a940 => acl_mask: access to entry "uid=user,dc=example,dc=org", attr
> "userPassword" requested
> 5050a940 => acl_mask: to value by "", (=0)
> 5050a940 <= check a_dn_pat: users
> 5050a940 <= check a_dn_pat: anonymous
> 5050a940 <= acl_mask: [2] applying auth(=xd) (stop)
> 5050a940 <= acl_mask: [2] mask: auth(=xd)
> 5050a940 => slap_access_allowed: auth access granted by auth(=xd)
> 5050a940 => access_allowed: auth access granted by auth(=xd)
> 5050a940 => access_allowed: add access to "dc=example,dc=org" "children"
> requested
> 5050a940 => dn: [1] dc=example,dc=org
> 5050a940 => acl_get: [1] matched
> 5050a940 => acl_get: [1] attr children
> 5050a940 => acl_mask: access to entry "dc=example,dc=org", attr "children"
> requested
> 5050a940 => acl_mask: to all values by "uid=user,dc=example,dc=org", (=0)
> 5050a940 <= check a_dn_pat: users
> 5050a940 <= acl_mask: [1] applying write(=wrscxd) (stop)
> 5050a940 <= acl_mask: [1] mask: write(=wrscxd)
> 5050a940 => slap_access_allowed: add access granted by write(=wrscxd)
> 5050a940 => access_allowed: add access granted by write(=wrscxd)
> 5050a940 => access_allowed: add access to "cn=hello,dc=example,dc=org"
> "entry" requested
> 5050a940 => dn: [1] dc=example,dc=org
> 5050a940 => dn: [2] dc=example,dc=org
> 5050a940 => acl_get: [2] matched
> 5050a940 => acl_get: [2] attr entry
> 5050a940 => acl_mask: access to entry "cn=hello,dc=example,dc=org", attr
> "entry" requested
> 5050a940 => acl_mask: to all values by "uid=user,dc=example,dc=org", (=0)
> 5050a940 <= check a_dn_pat: users
> 5050a940 <= acl_mask: [1] applying write(=wrscxd) (stop)
> 5050a940 <= acl_mask: [1] mask: write(=wrscxd)
> 5050a940 => slap_access_allowed: add access granted by write(=wrscxd)
> 5050a940 => access_allowed: add access granted by write(=wrscxd)
> 5050a940 => access_allowed: add access to "dc=example,dc=org" "children"
> requested
> 5050a940 => dn: [1] dc=example,dc=org
> 5050a940 => acl_get: [1] matched
> 5050a940 => acl_get: [1] attr children
> 5050a940 => acl_mask: access to entry "dc=example,dc=org", attr "children"
> requested
> 5050a940 => acl_mask: to all values by "uid=user,dc=example,dc=org", (=0)
> 5050a940 <= check a_dn_pat: users
> 5050a940 <= acl_mask: [1] applying write(=wrscxd) (stop)
> 5050a940 <= acl_mask: [1] mask: write(=wrscxd)
> 5050a940 => slap_access_allowed: add access granted by write(=wrscxd)
> 5050a940 => access_allowed: add access granted by write(=wrscxd)
> 5050a940 => access_allowed: add access to "cn=world,dc=example,dc=org"
> "entry" requested
> 5050a940 => dn: [1] dc=example,dc=org
> 5050a940 => dn: [2] dc=example,dc=org
> 5050a940 => acl_get: [2] matched
> 5050a940 => acl_get: [2] attr entry
> 5050a940 => acl_mask: access to entry "cn=world,dc=example,dc=org", attr
> "entry" requested
> 5050a940 => acl_mask: to all values by "uid=user,dc=example,dc=org", (=0)
> 5050a940 <= check a_dn_pat: users
> 5050a940 <= acl_mask: [1] applying write(=wrscxd) (stop)
> 5050a940 <= acl_mask: [1] mask: write(=wrscxd)
> 5050a940 => slap_access_allowed: add access granted by write(=wrscxd)
> 5050a940 => access_allowed: add access granted by write(=wrscxd)
>
>
>
>


-- 
Pierangelo Masarati
Associate Professor
Dipartimento di Ingegneria Aerospaziale
Politecnico di Milano