[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs for children entry

To: Natalia <nata.cs2@gmail.com>
Subject: Re: ACLs for children entry
From: Hallvard Breien Furuseth <h.b.furuseth@usit.uio.no>
Date: Thu, 22 Mar 2012 15:46:07 +0100 (CET)
Cc: openldap-technical@openldap.org

On Thu, 22 Mar 2012 14:22:45 +0100, Natalia <nata.cs2@gmail.com> wrote:
> I have the following tree structure in LDAP:
> ou=people,dc=example,dc=com
>   uid=user1,ou=people,dc=example,dc=com
> 
>            cn=child1,uid=user1,ou=people,dc=example,dc=com
>            cn=child2,uid=user1,ou=people,dc=example,dc=com
>    uid=user2,ou=people,dc=example,dc=com
> ..
> 
> I would like to make access in such a way: if fathers account
> (uid=user1,ou=people,dc=example,dc=com) is inactivated
> (description=inaktiv), all children become inaccessible.

Something like this, I think.  Untested, sorry.

to dn.regex=",(uid=[^,]+,ou=people,dc=example,dc=com)$"
  by set.expand="[$1]/description & inaktiv" none
  by group.exact="cn=ldapadmin,dc=example,dc=com" tls_ssf=128 sasl_ssf=56 write
  by * +0 break

I.e. access to: any children of an uid=... entry.
  1. Look up 'description' in entry $1 ("uid=...), and
     refuse access if it matches 'inaktiv'.
  2. For other entries, ldap admin over TLS+SASL gets full access.
  3. For everyone else, skip this access statement and go
     on to check the following access 'to' statements.

Drop the regexps' initial "," to also control the uid=... entry.
Swap (1) and (2) to also give admin access to inactive subtrees.
Replace (3) with e.g. 'by * read' to instead give others read access.

> I have tried with this, but it has not functioned:
>  to dn.regex="uid=([^,]+),ou=people,dc=example,dc=com"
> filter="(description=inaktiv)" attrs=children 
>   by group.exact="cn=ldapadmin,dc=example,dc=com" tls_ssf=128
> sasl_ssf=56 write 
>   by * none

That's not what "()" in regexps, filter, and children mean.  See
man slapd.access.  The access syntax tries to make sensible access
statements readable, but that doesn't mean any readable access
statement is sensible:-)

This is what your access statement means:

When accessing e.g. the entry "cn=child1,...", your dn.regex is checked
against the DN, and matches.  But the filter is checked against the
cn=child1 entry, not against a parent entry.  That does not match.  Nor
does attrs=children usually match - that's a pseudo-attribute which
Add/Delete/Rename check in the parent entry of the entry being added.

So this access statement is skipped, since the 'to' statement normally
does not match.  If it had matched, you'd then give write access to
ldapadmin if they use TLS and SASL.  Nobody else would get access.

-- 
Hallvard

Follow-Ups:
- Re: ACLs for children entry
  - From: Natalia <nata.cs2@gmail.com>

Prev by Date: Re: OPENLDAP & SSL -- FOR FAILOVER
Next by Date: Re: Concerns with OLC (cn=config) for editing schema, ACLs, and deleting entries
Index(es):
- Chronological
- Thread