----- "fathi engineer" fathi.engineer@gnet.tn wrote:
Hi,
In the proccess of setting up an openldap server as a pgp key server, I want to grant access to every authenticated user to create a new entry in a subtree of the basedn and every body to read entries in that subtree but only creator to be able to modify his entries.
I tried with the following (unsuccessfully):
access to dn.children="ou=PGP Keys,o=SNCFT,c=TN" by dn.regex="^uid=([^,]+),(ou=[^,]+,)+ou=Users,o=SNCFT,c=TN$" selfwrite by dn.regex="^uid=([^,]+),ou=Users,o=SNCFT,c=TN$" write by * read
and also by dnattr=owner selfwrite by users write by * read
but none worked.
I am running openldap-2.3.27-8.el5_2.4
Did you read slapd.access(5)? Did you read the requirements for the add and modify operations? You need to add access to "entry" to allow entry addition; you need to add access to attributes to allow their modification. And "owner" is a specific attribute of some objectClasses; unless you're creating those objects with the correct "owner" value, the creator will not be able to write them. You should use
by dnattr=creatorsName write
The "self" is not needed; it refers to a user writing to a target corresponding to its own name, or to an attribute whose value consists in its own name.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
On Wed, Aug 06, 2008 at 09:38:52AM +0200, Pierangelo Masarati wrote:
Did you read slapd.access(5)? Did you read the requirements for the add and modify operations? You need to add access to "entry" to allow entry addition; you need to add access to attributes to allow their modification.
Speaking about that: how to allow entry creation while maintaining constraints on what is being added? ie: if you want users to add entries, but not with a specific attribute set?
----- "Emmanuel Dreyfus" manu@netbsd.org wrote:
On Wed, Aug 06, 2008 at 09:38:52AM +0200, Pierangelo Masarati wrote:
Did you read slapd.access(5)? Did you read the requirements for the
add and modify operations? You need to add access to "entry" to allow entry addition; you need to add access to attributes to allow their modification.
Speaking about that: how to allow entry creation while maintaining constraints on what is being added? ie: if you want users to add entries, but not with a specific attribute set?
Currently, it's not possible. See http://www.openldap.org/its?findid=4556 for details and a roadmap.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
Pierangelo Masarati wrote:
----- "Emmanuel Dreyfus" manu@netbsd.org wrote:
Speaking about that: how to allow entry creation while maintaining constraints on what is being added? ie: if you want users to add entries, but not with a specific attribute set?
Currently, it's not possible. See http://www.openldap.org/its?findid=4556 for details and a roadmap.
My first reaction was also DIT structure rules. But that's not what Emmanuel was asking for because DIT structure rules are limiting the use of structural object classes for *all* users (schema vs. access control).
Maybe Emmanuel could try to describe the particular use-case he has in mind a little bit more.
Ciao, Michael.
Emmanuel Dreyfus wrote:
On Wed, Aug 06, 2008 at 09:38:52AM +0200, Pierangelo Masarati wrote:
Did you read slapd.access(5)? Did you read the requirements for the add and modify operations? You need to add access to "entry" to allow entry addition; you need to add access to attributes to allow their modification.
Speaking about that: how to allow entry creation while maintaining constraints on what is being added? ie: if you want users to add entries, but not with a specific attribute set?
Currently there's no checking for this. http://www.openldap.org/its/index.cgi/Software%20Enhancements?id=4556
It would probably be a good idea to add it.
Howard Chu wrote:
Emmanuel Dreyfus wrote:
On Wed, Aug 06, 2008 at 09:38:52AM +0200, Pierangelo Masarati wrote:
Did you read slapd.access(5)? Did you read the requirements for the add and modify operations? You need to add access to "entry" to allow entry addition; you need to add access to attributes to allow their modification.
Speaking about that: how to allow entry creation while maintaining constraints on what is being added? ie: if you want users to add entries, but not with a specific attribute set?
Currently there's no checking for this. http://www.openldap.org/its/index.cgi/Software%20Enhancements?id=4556
It would probably be a good idea to add it.
I'd really like to see support for that. I know a LDAP client which will be available for interop testing of DIT structure rules pretty soon. ;-)
Ciao, Michael.
Michael Ströder wrote:
Howard Chu wrote:
Emmanuel Dreyfus wrote:
On Wed, Aug 06, 2008 at 09:38:52AM +0200, Pierangelo Masarati wrote:
Did you read slapd.access(5)? Did you read the requirements for the add and modify operations? You need to add access to "entry" to allow entry addition; you need to add access to attributes to allow their modification.
Speaking about that: how to allow entry creation while maintaining constraints on what is being added? ie: if you want users to add entries, but not with a specific attribute set?
Currently there's no checking for this. http://www.openldap.org/its/index.cgi/Software%20Enhancements?id=4556
It would probably be a good idea to add it.
I'd really like to see support for that. I know a LDAP client which will be available for interop testing of DIT structure rules pretty soon. ;-)
Ciao, Michael.
Actually I was referring more to adding the ACL check; DIT structure rules are really not the answer to this enhancement request.
I commented on this on -devel some months ago - for fine-grained delegation of admin privileges, we really need to be able to control which users can create what type of entries under cn=config.
openldap-software@openldap.org
-
Emmanuel Dreyfus -
Howard Chu -
Michael Ströder -
Pierangelo Masarati