[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [Q] "selective" ACL

To: Zeus Panchenko <zeus@ibs.dn.ua>
Subject: Re: [Q] "selective" ACL
From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Date: Thu, 29 Jun 2017 16:32:13 +0100
Cc: openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <20160909135147.21693@relay.ibs.dn.ua>
References: <20160909135147.21693@relay.ibs.dn.ua>
User-agent: Mutt/1.5.21 (2010-09-15)

[ This is a very old thread you are resurrecting! ]

On Fri, Sep 09, 2016 at 01:51:47PM +0300, Zeus Panchenko wrote:

> I have two posixGroup groups 
> 
> cn=admins,ou=group,dc=foo
> cn=coadmins,ou=group,dc=foo
> 
> my users resides in ou=People,dc=foo
> 
> so, in subtree ou=People,dc=foo I need to allow anything to admins (and
> it is not difficult of course)
> 
> for example this works for me:
> 
> access to dn.subtree="ou=People,dc=foo"
>         by set="[cn=admin,ou=group,dc=foo]/memberUid & user/uid" manage
>         by self write
>         by users read
>         by * break
> 
> but in addition I need to allow my coadmins to do the same things except
> manipulations upon the objects which belong to admins (
> ...anyobject,uid=adminuser,ou=People,dc=foo )
> 
> so, the question is: how? (if it is possible at all) :(

It depends partly on why the ACI ends with 'by * break'. What other
rules could be applied in that case?

In the simple case where 'by * none' would have the same effect, you could
just put another ACI ahead of the one above so it comes out like this:

access to <expression matching the admin user DNs>
        by self write
        by users read
        by * none

access to dn.subtree="ou=People,dc=foo"
        by set="[cn=admin,ou=group,dc=foo]/memberUid & user/uid" manage
        by self write
        by users read
        by * none

The problem is to write the '<expression matching the admin user DNs>'.
That would probably be easier if you were not defining admin users by their
UID in a Posix group. Ideally there would be an attribute visible in each
entry that defines admin status, as then you could just key on that.
If your admin group is defined as a standard DN-based groupOfNames then
you could use the memberof overlay to reflect membership into an attribute
of the user entry.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------

Prev by Date: Re: mmr pair stops replicating: "consumer state is newer than provider"
Next by Date: Re: mmr pair stops replicating: "consumer state is newer than provider"
Index(es):
- Chronological
- Thread