[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Subordinate ACL question

To: ando@sys-net.it
Subject: Re: Subordinate ACL question
From: Luke Howard <lukeh@padl.com>
Date: Tue, 9 Nov 2004 22:31:20 +1100
Cc: openldap-software@OpenLDAP.org
Organization: PADL Software Pty Ltd
References: <200411090936.iA99abHE054319@au.padl.com> <60915.131.175.154.56.1099996163.squirrel@131.175.154.56> <200411091043.iA9AhD1K057496@au.padl.com> <60969.131.175.154.56.1099998397.squirrel@131.175.154.56>
Versions: dmail (bsd44) 2.6d/makemail 2.10

>My understanding is that you want to confine in one rule all is required
>to allow entry addition.  This can be done at the cost of giving away more

Yes, my ACL configuration file is becoming too complicated (cue really
bad joke about ACLs breeding).

>rights than strictly required.  You need a <what> clause <dn> pattern that
>matches both the parent and the newborn entry; in this case you can
>simultaneously give access to "children", "entry" and "<attrlist>", at the
>cost of giving the same access rights to the children of the newborn
>entry, and to the parent's "entry" and "attrlist" attributes.  In your
>case, I guess the only option is to use (going back to your very initial
>example):
>
>access to dn.regex="^(([^,]+),)?cn=([^,]+),CN=FOO$"
>attrs=entry,children,@pilotPerson
>    by dn.exact,expand="cn=$3,CN=FOO" write
>
>This matches exactly "^cn=([^,]+),CN=FOO$" or a direct child of it.  Hope
>it helps.

Thanks, I'd prefer clear ACLs that are not overly permissive :-)

Note that in the first example, which is what I'm most keen to simplify,
the subject is not related to the object (the subject is a well known DN).
So there is no regex substitution needed.

All I want to do is allow this well known subject to create entries of a
particular class underneath another well known DN (and to be able to
create further entries subordinate to these newly created entries of the
same object class).

If I follow your logic, then will the following rule work (at the expense
of giving CN=BAR members access to the pilotPerson attributes of CN=FOO,
which I can live with)?

	access to dn.subtree="CN=FOO" attrs=children,entry,@pilotPerson
		by group/group/member.exact=CN=BAR

Or, the following, tighter rule:

	access to dn.onelevel="CN=FOO" attrs=children
		by group/group/member.exact=CN=BAR write

	access to dn.children="CN=FOO" attrs=entry,@pilotPerson
		by group/group/member.exact=CN=BAR write

My real concern is just having to repeat the same subjects for similar
ACLs. It would be nice to be able to group a bunch of subjects together
and just refer to them in subsequent rules.

-- Luke

--

Follow-Ups:
- Re: Subordinate ACL question
  - From: Howard Chu <hyc@symas.com>
- Re: Subordinate ACL question
  - From: Pierangelo Masarati <ando@sys-net.it>

References:
- Subordinate ACL question
  - From: Luke Howard <lukeh@padl.com>
- Re: Subordinate ACL question
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: Subordinate ACL question
  - From: Luke Howard <lukeh@padl.com>
- Re: Subordinate ACL question
  - From: "Pierangelo Masarati" <ando@sys-net.it>

Prev by Date: Re: ACLs: 'and' clause in ACLs
Next by Date: Re: ACLs: "and" clause in ACLs
Index(es):
- Chronological
- Thread