[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [Q] "selective" ACL

To: "Andrew Findlay" <andrew.findlay@skills-1st.co.uk>
Subject: Re: [Q] "selective" ACL
From: "Zeus Panchenko" <zeus@ibs.dn.ua>
Date: Wed, 26 Jul 2017 13:28:36 +0300
Cc: openldap-technical@openldap.org
Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAFVBMVEWxsbGdnZ3U1NQTExN cXFzx8fG/v7+f8hyWAAACXUlEQVQ4jUWSwXYiIRBFi4yyhtjtWpmRdTL0ZC3TJOukDa6Rc+T/P2F eFepwtFvr8upVFVDua8mLWw6La4VIKTuMdAPOebdU55sQs3n/D1xFFPFGVGh4AHKttr5K0bS6g7N ZCge7qpVLB+f1Z2WAj2OKXwIWt/bXpdXSiu8KXbviWkHxF5td9+lg2e3xlI2SCvatK8YLfHyh9lw 15yrad8Va5eXg4Llr7QmAaC+dL9sDt9iad/DX3OKvLMBf+dm0A0QuMrTvYIevSik1IaSVvgjIHt5 lSCG2ynNRpEcBZ8cgDWk+Ns99qzsYYV3MZoppWzGtYlTO9+meG6m/g92iNO9LfQB2JZsMpoJs7QG ku2KtabRK0bZRwDLyBDvwlxTm6ZlP7qyOqLcfqtLexpDSB4M0H3I/PQy1emvjjzgK+A0LmMKl6Lq zlqzh0VGAw440F6MJd8cY0nI7wiF/fVIBGY7UNCAXy6DmfYGCLLI0wtDbVcDUMqtJLmAhLqODQAe riERAxXJ1/QYGpa0ymqyytpKC19MNXHjvFmEsfcHIrncFR4xdbYWgmfEGLCcZokpGbGj1egMR+6M 1BkNX1pDdhPcOXpAnAeLQUwQLYepgQoZVNGS61yaE8CYA7gYAcWKzwGstACY2HTFvvOwk4FXAG/a mKHni/EcA/GkOk7I0IK7UMIf3+SahU8/FJdiE7KcuWdM3MFocUDEEIX9LfJoo4xV5tnNKc3jJuSs SZWgnnhepgU1zN4Hii18yW4RwDX52CXUtk0Hqz6cHOIUkWaX8fDcB+J7y1y2xDHwjv/8Buu8Ekz6 7tXQAAAAASUVORK5CYII=
In-reply-to: Your message of Thu, 29 Jun 2017 16:32:13 +0100 <20170629153213.GD2797@slab.skills-1st.co.uk>
Organization: I.B.S. LLC
References: <20160909135147.21693@relay.ibs.dn.ua> <20170629153213.GD2797@slab.skills-1st.co.uk>

Andrew Findlay <andrew.findlay@skills-1st.co.uk> wrote:

> [ This is a very old thread you are resurrecting! ]

sorry, but was not able to find the answer yet
bellow is a bit long reply/commentary ...

> > access to dn.subtree="ou=People,dc=foo"
> >         by set="[cn=admin,ou=group,dc=foo]/memberUid & user/uid" manage
> >         by self write
> >         by users read
> >         by * break
> >
> > but in addition I need to allow my coadmins to do the same things except
> > manipulations upon the objects which belong to admins (
> > ...anyobject,uid=adminuser,ou=People,dc=foo )

here I meant the objects which are the children of admins object like these:

---[ LDIF 1 quotation start ]-------------------------------------------
## topmost object, "root" object, the one used for access to LDAP objects
dn: uid=adminuser,ou=People,dc=foo
...
objectClass: person

## branch for email service of talax.startrek.in domain object
dn: authorizedService=mail@talax.startrek.in,uid=adminuser,ou=People,dc=foo
...
objectClass: person

## email service of talax.startrek.in domain object
dn: uid=neelix@talax.startrek.in,authorizedService=mail@talax.startrek.in,uid=adminuser,ou=People,dc=foo
...
objectClass: person

## branch for email service of rinax.startrek.in domain object
dn: authorizedService=mail@rinax.startrek.in,uid=adminuser,ou=People,dc=foo
...
objectClass: person

## email service of rinax.startrek.in domain object
dn: uid=alixia@rinax.startrek.in,authorizedService=mail@rinax.startrek.in,uid=adminuser,ou=People,dc=foo
...
objectClass: person
---[ LDIF 1 quotation end   ]-------------------------------------------


> It depends partly on why the ACI ends with 'by * break'. What other
> rules could be applied in that case?

ok, thank you :)
now I was able to manage all it working this way:

---[ slapd.conf quotation start ]-------------------------------------------
...
## in the begining we allow admins anything
access to *
        by set="[cn=admin,ou=group,ou=system,dc=foo]/memberUid & user/uid" manage
        by * break

## allowing all replicas to access the log
access to dn.children="cn=foo-accesslog"
       by dn.one="ou=repl,ou=system,dc=foo" read
       by * break

## allowing replica serving domain talax.startrek.in
access to dn.regex="^uid=(.*)@talax.startrek.in,authorizedService=(mail|xmpp)@talax.startrek.in,uid=(.*),ou=People,dc=foo$"
       attrs=entry,entryCSN,entryUUID, ... ,authorizedService,mu-mailBox
       by dn.exact="uid=repl-talax,ou=repl,ou=system,dc=foo" read
       by * break

access to dn.children="ou=talax,ou=Sendmail,dc=foo"
       by dn.exact="uid=repl-talax,ou=repl,ou=system,dc=foo" read
       by * stop

## allowing replica serving domain rinax.startrek.in
access to dn.regex="^uid=(.*)@rinax.startrek.in,authorizedService=(mail|xmpp)@rinax.startrek.in,uid=(.*),ou=People,dc=foo$"
       attrs=entry,entryCSN,entryUUID, ... ,authorizedService,mu-mailBox
       by dn.exact="uid=repl-rinax,ou=repl,ou=system,dc=foo" read
       by * break

access to dn.children="ou=talax,ou=Sendmail,dc=foo"
       by dn.exact="uid=repl-rinax,ou=repl,ou=system,dc=foo" read
       by * stop

## allowing access to jpegPhoto:
### replicas to search (otherwise replication failed)
### admins, coadmins, self and the topmost DN (the 1-st object in LDIF 1 sample above) to write
access to dn.subtree="ou=People,dc=foo" attrs=jpegPhoto
        by dn.one="ou=repl,ou=system,dc=foo" search
        by set="[cn=admin,ou=group,ou=system,dc=foo]/memberUid & user/uid" write
        by set="[cn=coadmin,ou=group,ou=system,dc=foo]/memberUid & user/uid" write
        by set.exact="this/-2 & user" write
        by self write
        by * none

## likewise
access to dn.subtree="ou=People,dc=foo"
        by dn.one="ou=repl,ou=system,dc=foo" search
        by set="[cn=acl-w-people,ou=group,ou=system,dc=foo]/memberUid & user/uid" write
        by set="[cn=acl-r-people,ou=group,ou=system,dc=foo]/memberUid & user/uid" read
        by self write
        by users read
        by * none

access to dn.subtree="ou=Organizations,dc=foo"
        by dn.one="ou=repl,ou=system,dc=foo" search
        by set="[cn=acl-w-organizations,ou=group,ou=system,dc=foo]/memberUid & user/uid" write
        by set="[cn=acl-r-organizations,ou=group,ou=system,dc=foo]/memberUid & user/uid" read
        by users read
        by * none

access to dn.subtree="ou=Inventory,dc=foo"
        by dn.one="ou=repl,ou=system,dc=foo" search
        by set="[cn=acl-w-inventory,ou=group,ou=system,dc=foo]/memberUid & user/uid" write
        by set="[cn=acl-r-inventory,ou=group,ou=system,dc=foo]/memberUid & user/uid" read
        by users read
        by * none

access to dn.subtree="ou=group,dc=foo"
        by dn.one="ou=repl,ou=system,dc=foo" search
        by set="[cn=acl-w-group,ou=group,ou=system,dc=foo]/memberUid & user/uid" write
        by set="[cn=acl-r-group,ou=group,ou=system,dc=foo]/memberUid & user/uid" read
        by users read
        by * none

# for `users' we set `search' because `read' allows to read all, but
# we tried to narrow what replica can get, otherwise removing it makes
# it impossible to get anything (perhaps it blocks some objects needed)
access to *
        by dn.exact="uid=SPECIAL-USER,ou=People,dc=foo" manage
        by set="[cn=admin,ou=group,ou=system,dc=foo]/memberUid & user/uid" manage
        by peername.ip=127.0.0.1 read
        by dn.one="ou=repl,ou=system,dc=foo" search
        by set="[cn=bind,ou=group,ou=system,dc=foo]/memberUid & user/uid" read
        by self read
        by users read
        by * none
...													
---[ slapd.conf quotation end   ]-------------------------------------------
					


> In the simple case where 'by * none' would have the same effect, you could
> just put another ACI ahead of the one above so it comes out like this:
> ... 
> The problem is to write the '<expression matching the admin user DNs>'.

is there way to know whether DN is a child of the admin's one,
except to look at the end of it, whether it ends with
"uid=ADMIN-USER-TO-PROCESS,ou=People,dc=foo" ?



> That would probably be easier if you were not defining admin users by their
> UID in a Posix group. Ideally there would be an attribute visible in each
> entry that defines admin status, as then you could just key on that.

it implies to use the attribute for each child object of the admin object

like:

---[ LDIF 2 quotation start ]-------------------------------------------
dn: uid=adminuser,ou=People,dc=foo
belongsToAdmin: yes
...
objectClass: person

## branch for email service of talax.startrek.in domain object
dn: authorizedService=mail@talax.startrek.in,uid=adminuser,ou=People,dc=foo
belongsToAdmin: yes
...
objectClass: person

## email service of talax.startrek.in domain object
dn: uid=neelix@talax.startrek.in,authorizedService=mail@talax.startrek.in,uid=adminuser,ou=People,dc=foo
belongsToAdmin: yes
...
objectClass: person

## branch for email service of rinax.startrek.in domain object
dn: authorizedService=mail@rinax.startrek.in,uid=adminuser,ou=People,dc=foo
belongsToAdmin: yes
...
objectClass: person

## email service of rinax.startrek.in domain object
dn: uid=alixia@rinax.startrek.in,authorizedService=mail@rinax.startrek.in,uid=adminuser,ou=People,dc=foo
belongsToAdmin: yes
...
objectClass: person
---[ LDIF 2 quotation end   ]-------------------------------------------

correct?



> If your admin group is defined as a standard DN-based groupOfNames then
> you could use the memberof overlay to reflect membership into an attribute
> of the user entry.

it implies to provide all admin's children dn-s as member for such a group

like

---[ LDIF 3 quotation start ]-------------------------------------------
dn: cn=admin,ou=group,ou=system,dc=foo
cn: admin
member: uid=adminuser,ou=People,dc=foo
member: authorizedService=mail@talax.startrek.in,uid=adminuser,ou=People,dc=foo
member: uid=neelix@talax.startrek.in,authorizedService=mail@talax.startrek.in,uid=adminuser,ou=People,dc=foo
member: authorizedService=mail@rinax.startrek.in,uid=adminuser,ou=People,dc=foo
member: uid=alixia@rinax.startrek.in,authorizedService=mail@rinax.startrek.in,uid=adminuser,ou=People,dc=foo
objectClass: groupOfNames
---[ LDIF 3 quotation end   ]-------------------------------------------

correct?

-- 
Zeus V. Panchenko				jid:zeus@im.ibs.dn.ua
IT Dpt., I.B.S. LLC					  GMT+2 (EET)

Attachment: signature.asc
Description: PGP signature

Prev by Date: Re: Sometimes openldap messages are logged in incorrect order
Next by Date: consumer state is newer than provider (was "can I replicate several branches to the same slave from one master?")
Index(es):
- Chronological
- Thread