[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Dynamic ACL in OpenLDAP with set:expand not working

To: openldap-technical@openldap.org
Subject: Re: Dynamic ACL in OpenLDAP with set:expand not working
From: Dieter Klünter <dieter@dkluenter.de>
Date: Wed, 21 Aug 2019 19:14:07 +0200
In-reply-to: <20190821085019.2y4jr7n46ufzlwxe@mistotebe.net>
Organization: AVCI
References: <B63EE104-776C-459E-859D-03B15C71C8A6@w1m4.de> <20190821085019.2y4jr7n46ufzlwxe@mistotebe.net>

Am Wed, 21 Aug 2019 10:50:19 +0200
schrieb Ondřej Kuzník <ondra@mistotebe.net>:

> On Tue, Aug 20, 2019 at 10:22:56PM +0200, Martin W. wrote:
> > Dear OpenLDAP technical list,
> > 
> > I‘ve been running into a little problem with my permission
> > structures – and was wondering if you could help me with it.
> > 
> > I want the members of a group to administer a tree structure, the
> > group is member of it. I've tried some acl settings – I'll post my
> > trials below the basic structure.
> >
> > I've tried some different things ... and none Regex was successful
> > :( Since I'll post some fragments, I put every LDIF fragment within
> > such a bash fragment:
> >  
> >> olcAccess: to *
> >>            by self write
> >>            by dn="cn=admin,dc=example,dc=com" write
> >>            by
> >> set="[cn=ldapadmins,ou=groups,dc=example,dc=com]/member* & user"
> >> write by users read by * none  
> > 
> > trial 1
> >   
> >> olcAccess: to
> >> dn.regex="([^,]+,)?o=([^,]+),ou=entities,dc=example,dc=com" by
> >> self write by dn="cn=admin,dc=example,dc=com" write
> >>            by
> >> set="[cn=ldapadmins,ou=groups,dc=example,dc=com]/member* & user"
> >> write by
> >> set.expand="[cn=admin,o=$2,ou=entities,dc=example,dc=com]/member*
> >> & user" write by set="this/member* & user" read by * none  
> > 
> > The result is, that admin and any member of ldapadminscan edit, the
> > members of specific entity admin subgroups cannot edit.
> > The specific admin subgroups cannot even see the entities subtree.  
> 
> Hi Martin,
> what is the order of the above two olcAccess statements? If they apply
> in the order above, it seems the first one will always apply and
> processing will stop there. In that case you either want to add a
> "break" in the first one or split/move it to be checked later.
> 
> I assume you also know and use the slapacl tool (and loglevel acl) to
> test with? Does it show any additional information that might be
> helpful in diagnosing the issue?

With regard to 'set' here is some basic information.
http://www.openldap.org/faq/data/cache/1133.html
http://www.openldap.org/faq/data/cache/1134.html

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Follow-Ups:
- Re: Dynamic ACL in OpenLDAP with set:expand not working
  - From: "Martin W." <openldap@w1m4.de>

References:
- Dynamic ACL in OpenLDAP with set:expand not working
  - From: "Martin W." <openldap@w1m4.de>
- Re: Dynamic ACL in OpenLDAP with set:expand not working
  - From: Ondřej Kuzník <ondra@mistotebe.net>

Prev by Date: BDB to LMDB migration and Linux kernel parameters
Next by Date: Re: any working documentation?
Index(es):
- Chronological
- Thread