[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL for object creation in subtree with specific attributes and object classes

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: Re: ACL for object creation in subtree with specific attributes and object classes
From: Simeon Ott <simeon.ott@onnet.ch>
Date: Tue, 5 Aug 2014 16:26:44 +0200
In-reply-to: <20140805150038.0e96e19a@pink.avci.de>
References: <5AD7B8E9-A759-4A08-B170-4D5D7A52A538@onnet.ch> <20140805113928.220415a3@pink.avci.de> <60D690D2-E29C-4FFA-9ADA-4BDDC7C130D3@onnet.ch> <20140805150038.0e96e19a@pink.avci.de>

On 05.08.2014, at 15:00, Dieter Klünter <dieter@dkluenter.de> wrote:

> Am Tue, 5 Aug 2014 13:39:13 +0200
> schrieb Simeon Ott <simeon.ott@onnet.ch>:
> 
>> On 05.08.2014, at 11:39, Dieter Klünter <dieter@dkluenter.de> wrote:
>> 
>>> Am Tue, 5 Aug 2014 09:41:36 +0200
>>> schrieb Simeon Ott <simeon.ott@onnet.ch>:
>>> 
>>>> […]
>>>> 	by
>>>> dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write
>>>> by
>>>> * read access to * 
>>>> 	by dn.base="cn=admin,dc=mydomain" write
>>>> 	by * read
>>>> 
>>>> ACL rule 4 allows the postmaster to add objects to it's "domain"
>>>> without any restrictions. How can i restrict the object creation to
>>>> specific object classes and attributes? Let's say postmaster should
>>>> only be able to add objects like the following:
>>> [...]
>>> man slapd.access(5), the <WHAT> field: @<objectClass>
>>> 
>>> -Dieter
>>> 
>> 
>> Thanks Dieter, I tried the following already … instead of rule 3 and
>> 4 i used the following:
>> 
>> access to
>> dn.regex="^(.+,)?ou=(.+),ou=domains,dc=intra,dc=onnet,dc=ch$"
>> attrs=@CourierMailAccount,@inetOrgPerson,@top,@Vacation,entry,vacationInfo,smtpRelayFlag,description,vacationForward,displayName,givenName,homePhone,homePostalAddress,initials,mobile,postalAddress,postalCode,l,telephoneNumber,title
>> by self write by
>> dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=intra,dc=onnet,dc=ch"
>> write by * read
>> 
>> access to dn.regex="^ou=(.+),ou=domains,dc=intra,dc=onnet,dc=ch$"
>> attrs=children by
>> dn.base,expand="cn=postmaster,ou=$1,ou=domains,dc=intra,dc=onnet,dc=ch"
>> write by * read
>> 
>> As postmaster I'm still able to add objects to it's domain. But I'm
>> also able to add other objectclasses and attributes.
>> 
>> I think I mess around with the attributes entry and children  –
>> anyone help me cleaning up? :-)
> 
> run slapd in debugging mode acl and watch the rule number applied to a
> write operation.
> 

Okay, this didn't really help, but thanks anyway. I'm not familiar with reading those logs. i adjusted the loglevel to 128 to see the acl processing. but it's still a huge amount of log lines when adding such an ldif. i thought it's gonna be an easy task.

Follow-Ups:
- Re: ACL for object creation in subtree with specific attributes and object classes
  - From: Dieter Klünter <dieter@dkluenter.de>

References:
- ACL for object creation in subtree with specific attributes and object classes
  - From: Simeon Ott <simeon.ott@onnet.ch>
- Re: ACL for object creation in subtree with specific attributes and object classes
  - From: Dieter Klünter <dieter@dkluenter.de>
- Re: ACL for object creation in subtree with specific attributes and object classes
  - From: Simeon Ott <simeon.ott@onnet.ch>
- Re: ACL for object creation in subtree with specific attributes and object classes
  - From: Dieter Klünter <dieter@dkluenter.de>

Prev by Date: Re: ACL for object creation in subtree with specific attributes and object classes
Next by Date: translucent overlay add an attribute to all users in a OU and subtree
Index(es):
- Chronological
- Thread