Andrew Findlay <andrew.findlay@skills-1st.co.uk> wrote: > [ This is a very old thread you are resurrecting! ] sorry, but was not able to find the answer yet bellow is a bit long reply/commentary ... > > access to dn.subtree="ou=People,dc=foo" > > by set="[cn=admin,ou=group,dc=foo]/memberUid & user/uid" manage > > by self write > > by users read > > by * break > > > > but in addition I need to allow my coadmins to do the same things except > > manipulations upon the objects which belong to admins ( > > ...anyobject,uid=adminuser,ou=People,dc=foo ) here I meant the objects which are the children of admins object like these: ---[ LDIF 1 quotation start ]------------------------------------------- ## topmost object, "root" object, the one used for access to LDAP objects dn: uid=adminuser,ou=People,dc=foo ... objectClass: person ## branch for email service of talax.startrek.in domain object dn: authorizedService=mail@talax.startrek.in,uid=adminuser,ou=People,dc=foo ... objectClass: person ## email service of talax.startrek.in domain object dn: uid=neelix@talax.startrek.in,authorizedService=mail@talax.startrek.in,uid=adminuser,ou=People,dc=foo ... objectClass: person ## branch for email service of rinax.startrek.in domain object dn: authorizedService=mail@rinax.startrek.in,uid=adminuser,ou=People,dc=foo ... objectClass: person ## email service of rinax.startrek.in domain object dn: uid=alixia@rinax.startrek.in,authorizedService=mail@rinax.startrek.in,uid=adminuser,ou=People,dc=foo ... objectClass: person ---[ LDIF 1 quotation end ]------------------------------------------- > It depends partly on why the ACI ends with 'by * break'. What other > rules could be applied in that case? ok, thank you :) now I was able to manage all it working this way: ---[ slapd.conf quotation start ]------------------------------------------- ... ## in the begining we allow admins anything access to * by set="[cn=admin,ou=group,ou=system,dc=foo]/memberUid & user/uid" manage by * break ## allowing all replicas to access the log access to dn.children="cn=foo-accesslog" by dn.one="ou=repl,ou=system,dc=foo" read by * break ## allowing replica serving domain talax.startrek.in access to dn.regex="^uid=(.*)@talax.startrek.in,authorizedService=(mail|xmpp)@talax.startrek.in,uid=(.*),ou=People,dc=foo$" attrs=entry,entryCSN,entryUUID, ... ,authorizedService,mu-mailBox by dn.exact="uid=repl-talax,ou=repl,ou=system,dc=foo" read by * break access to dn.children="ou=talax,ou=Sendmail,dc=foo" by dn.exact="uid=repl-talax,ou=repl,ou=system,dc=foo" read by * stop ## allowing replica serving domain rinax.startrek.in access to dn.regex="^uid=(.*)@rinax.startrek.in,authorizedService=(mail|xmpp)@rinax.startrek.in,uid=(.*),ou=People,dc=foo$" attrs=entry,entryCSN,entryUUID, ... ,authorizedService,mu-mailBox by dn.exact="uid=repl-rinax,ou=repl,ou=system,dc=foo" read by * break access to dn.children="ou=talax,ou=Sendmail,dc=foo" by dn.exact="uid=repl-rinax,ou=repl,ou=system,dc=foo" read by * stop ## allowing access to jpegPhoto: ### replicas to search (otherwise replication failed) ### admins, coadmins, self and the topmost DN (the 1-st object in LDIF 1 sample above) to write access to dn.subtree="ou=People,dc=foo" attrs=jpegPhoto by dn.one="ou=repl,ou=system,dc=foo" search by set="[cn=admin,ou=group,ou=system,dc=foo]/memberUid & user/uid" write by set="[cn=coadmin,ou=group,ou=system,dc=foo]/memberUid & user/uid" write by set.exact="this/-2 & user" write by self write by * none ## likewise access to dn.subtree="ou=People,dc=foo" by dn.one="ou=repl,ou=system,dc=foo" search by set="[cn=acl-w-people,ou=group,ou=system,dc=foo]/memberUid & user/uid" write by set="[cn=acl-r-people,ou=group,ou=system,dc=foo]/memberUid & user/uid" read by self write by users read by * none access to dn.subtree="ou=Organizations,dc=foo" by dn.one="ou=repl,ou=system,dc=foo" search by set="[cn=acl-w-organizations,ou=group,ou=system,dc=foo]/memberUid & user/uid" write by set="[cn=acl-r-organizations,ou=group,ou=system,dc=foo]/memberUid & user/uid" read by users read by * none access to dn.subtree="ou=Inventory,dc=foo" by dn.one="ou=repl,ou=system,dc=foo" search by set="[cn=acl-w-inventory,ou=group,ou=system,dc=foo]/memberUid & user/uid" write by set="[cn=acl-r-inventory,ou=group,ou=system,dc=foo]/memberUid & user/uid" read by users read by * none access to dn.subtree="ou=group,dc=foo" by dn.one="ou=repl,ou=system,dc=foo" search by set="[cn=acl-w-group,ou=group,ou=system,dc=foo]/memberUid & user/uid" write by set="[cn=acl-r-group,ou=group,ou=system,dc=foo]/memberUid & user/uid" read by users read by * none # for `users' we set `search' because `read' allows to read all, but # we tried to narrow what replica can get, otherwise removing it makes # it impossible to get anything (perhaps it blocks some objects needed) access to * by dn.exact="uid=SPECIAL-USER,ou=People,dc=foo" manage by set="[cn=admin,ou=group,ou=system,dc=foo]/memberUid & user/uid" manage by peername.ip=127.0.0.1 read by dn.one="ou=repl,ou=system,dc=foo" search by set="[cn=bind,ou=group,ou=system,dc=foo]/memberUid & user/uid" read by self read by users read by * none ... ---[ slapd.conf quotation end ]------------------------------------------- > In the simple case where 'by * none' would have the same effect, you could > just put another ACI ahead of the one above so it comes out like this: > ... > The problem is to write the '<expression matching the admin user DNs>'. is there way to know whether DN is a child of the admin's one, except to look at the end of it, whether it ends with "uid=ADMIN-USER-TO-PROCESS,ou=People,dc=foo" ? > That would probably be easier if you were not defining admin users by their > UID in a Posix group. Ideally there would be an attribute visible in each > entry that defines admin status, as then you could just key on that. it implies to use the attribute for each child object of the admin object like: ---[ LDIF 2 quotation start ]------------------------------------------- dn: uid=adminuser,ou=People,dc=foo belongsToAdmin: yes ... objectClass: person ## branch for email service of talax.startrek.in domain object dn: authorizedService=mail@talax.startrek.in,uid=adminuser,ou=People,dc=foo belongsToAdmin: yes ... objectClass: person ## email service of talax.startrek.in domain object dn: uid=neelix@talax.startrek.in,authorizedService=mail@talax.startrek.in,uid=adminuser,ou=People,dc=foo belongsToAdmin: yes ... objectClass: person ## branch for email service of rinax.startrek.in domain object dn: authorizedService=mail@rinax.startrek.in,uid=adminuser,ou=People,dc=foo belongsToAdmin: yes ... objectClass: person ## email service of rinax.startrek.in domain object dn: uid=alixia@rinax.startrek.in,authorizedService=mail@rinax.startrek.in,uid=adminuser,ou=People,dc=foo belongsToAdmin: yes ... objectClass: person ---[ LDIF 2 quotation end ]------------------------------------------- correct? > If your admin group is defined as a standard DN-based groupOfNames then > you could use the memberof overlay to reflect membership into an attribute > of the user entry. it implies to provide all admin's children dn-s as member for such a group like ---[ LDIF 3 quotation start ]------------------------------------------- dn: cn=admin,ou=group,ou=system,dc=foo cn: admin member: uid=adminuser,ou=People,dc=foo member: authorizedService=mail@talax.startrek.in,uid=adminuser,ou=People,dc=foo member: uid=neelix@talax.startrek.in,authorizedService=mail@talax.startrek.in,uid=adminuser,ou=People,dc=foo member: authorizedService=mail@rinax.startrek.in,uid=adminuser,ou=People,dc=foo member: uid=alixia@rinax.startrek.in,authorizedService=mail@rinax.startrek.in,uid=adminuser,ou=People,dc=foo objectClass: groupOfNames ---[ LDIF 3 quotation end ]------------------------------------------- correct? -- Zeus V. Panchenko jid:zeus@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET)
Attachment:
signature.asc
Description: PGP signature