Christian Kratzer wrote:
Hi Michael,
On Sat, 14 Dec 2013, Michael Ströder wrote:
HI!
I used this FAQ entry to use set-based ACLs for my current task:
http://www.openldap.org/faq/data/cache/1133.html
There's written:
"We could make this more powerful (and more complex and costly to compute) by allowing base sets to be built from LDAP filters. This is something to consider, because the combination of filters and sets (which have little overlap in what they can express) is very powerful. This is partially provided by the URI expansion capability."
Was this ever implemented? It would be helpful. IMO using 'this' and/or 'user' in [ldap://] sets would make evaluating the set-based <who> clause faster if attributes used in LDAP URLs are properly indexed.
Background: My aim is to configure Linux clients all the same (search base, filter etc.) but let each *machine* individually authenticate against OpenLDAP server. Then only the users who are members of groups with login rights on this particular server should be visible to the Linux client. So the goal is to filter user/groups at the OpenLDAP server and *not* in the Linux client (e.g. by sssd configuration or similar). For now it seems only possible to do this with set-based ACLs given all the requirements I have.
I needed to restrict users seen be a spefic application to users that are member in the respective applications group.
I cheated by not checking the group but the memberOf: attribute in the entries I intended to filter.
olcAccess: to dn.children="dc=example,dc=org"
filter="(memberOf=cn=application1-group,ou=groups,dc=example,dc=org)" by dn.base="cn=application1-user,ou=system,dc=example,dc=org" read olcAccess: to dn.children="dc=example,dc=org" filter="(memberOf=cn=application2-group,ou=groups,dc=example,dc=org)" by dn.base="cn=application2-user,ou=system,dc=example,dc=org" read olcAccess: to dn.children="dc=example,dc=org" filter="(memberOf=cn=application3-group,ou=groups,dc=example,dc=org)" by dn.base="cn=application3-user,ou=system,dc=example,dc=org" read
The performance implictations of these kind of acl should be ok from my understanding as they only apply to the specific applications user.
Thanks for sharing your ACLs.
But in my case it's a strong requirement that ACLs are generic and do not contain any names. So you in your case one could add more applications just by adding entries without having to touch any ACLs at all.
AFAICT something like this can only be done with set-based ACLs.
Ciao, Michael.