Emmanuel Dreyfus wrote:
- a person must be able to modify a mailAddress when it receives mail
from this address. This is done by an ACL clause like this (obtained from this mailing list) by set.exact="this/mail & user/mail" write It works very well. That goal is fullfilled.
Looks just fine.
- a user listed as a manager for an ou must be able to modify the
persons within the ou. I've came to the following:
access to dn.regex="uid=.+,ou=(.+),dc=example,dc=net$" by set.expand="[ou=$1,dc=example,dc=net]/manager* & user" write
That works, though it seems to be very poor on the performance front.
Not sure you need to further expand the manager (the "star" at the end of /manager*). Furthermore, if that's your real DN layout, you could try something like
access to dn.regex="^uid=.+,(ou=.+,dc=example,dc=net)$" by set.expand="[$1]/manager & user" write
I also note that
access to dn.regex="^uid=.+,(ou=.+,dc=example,dc=net)$" by group/organizationalUnit/manager.expand="$1" write
should be equivalent and much more efficient (but, AFAIK, organizationalUnit does not allow manager!).
The above says that if you treat the objectClass "organizationalUnit" as a group, and "manager" as the group's member attribute, and the manager's value matches the user's identity, access is granted.
I tried something more simplier, such as: by set.exact="this/ou/manager & user" or that way: by set.exact="(this/ou+[,dc=example,dc=net])/manager & user" but it does not work, I have no idea why. I'm very curious to learn what's wrong here.
As far as I understand, "ou" contains the name of the organizationalUnit, not its DN. So set expansion does not work, because it only acts on DNs. Maybe something like
by set.exact="([cn=]+this/ou+[dc=example,dc=net])/manager & user"
You see, in the last case you were almost there: all you're missing is the [cn=]+ at the beginning of the DN. But see my much cleaner example above, which should be the most efficient thing you can do.
- The trickiest part, for which I have no solution: a user listed as a
manager for an ou must be able to modify the mailAddress that a user he can modify could modify.
I can try to rephrase this a bit better. If I have the following (mailAddress, person, ou) triplet dn: mail=W,dc=example,dc=net
dn: uid=X,ou=Y,dc=example.dc=net mail: W
dn: ou=Y,dc=example,dc=net manager: Z
I want user Z to be able to modify mailAddress W
Here is an attempt that does not work by set.exact=" ([uid=*,ou=] + ([manager=] + user)/ou*) + [,dc=example,dc=net])/mail & this/mail" write
This seems to be hard to get. As far as I understand:
- your final relation should be ANS ::= "this/mail & USERS/mail"
- where USERS is defined as USERS ::= "[ldap:///OUDN??one]/entryDN"
- but what's missing is how to compute OUDN from what you've got; this should do what you need: OUDN ::= "([ldap:///dc=example,dc=net??one(manager=]+user+[)])/entryDN"
so performing the substitutions, and breaking up and combining literals as appropriate
by set.exact="this/mail & ([ldap:///]+([ldap:///dc=example,dc=net??one(manager=]+user+[)])/entryDN+[??one]/entryDN)/mail"
the above should work. Unless I missed something in your description, of course.
Note that performances will be ugly...
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------