Hi all,
I am runing an openldap 2.4.7 on debian with small local schema modifications: a few more attributes and an objectClass derived from inetOrgPerson.
I have looked in the administrator's guide and the slapd.access manpage but I can't figure out how to do the following: I want to give write access depending on the value of an attribute.
something like: access to dn="cn=foo,ou=groups,dc=example,dc=com" attrs=cn,description,memberUid,entry by (&(objectClass=inetOrgPerson)(employeeType=chief)) write
If I have read the manpage correctly, I can't do it with a filter. Is there any way to get this behavior ?
It is not clear for me if the "dynacl" I saw in the manpage: - can solve this problem - are compulsory to solve it
any help ? example ?
thanks.
Fabrice Eudes wrote:
Hi all,
I am runing an openldap 2.4.7 on debian with small local schema modifications: a few more attributes and an objectClass derived from inetOrgPerson.
I have looked in the administrator's guide and the slapd.access manpage but I can't figure out how to do the following: I want to give write access depending on the value of an attribute.
something like: access to dn="cn=foo,ou=groups,dc=example,dc=com" attrs=cn,description,memberUid,entry by (&(objectClass=inetOrgPerson)(employeeType=chief)) write
If I have read the manpage correctly, I can't do it with a filter. Is there any way to get this behavior ?
It is not clear for me if the "dynacl" I saw in the manpage:
- can solve this problem
- are compulsory to solve it
any help ? example ?
thanks.
I am not sure how to do exactly what you ask, but an alternative would be to use the "group" <who> clause.
If all your "chiefs" are in a common group, just add: by group.exact="cn=Chiefs,ou=Groups,dc=example,dc=com" write
/Tobias
Hi all,
I am runing an openldap 2.4.7 on debian with small local schema modifications: a few more attributes and an objectClass derived from inetOrgPerson.
I have looked in the administrator's guide and the slapd.access manpage but I can't figure out how to do the following: I want to give write access depending on the value of an attribute.
an attribute in the target (the "what") or in the user (the "who")?
something like: access to dn="cn=foo,ou=groups,dc=example,dc=com" attrs=cn,description,memberUid,entry by (&(objectClass=inetOrgPerson)(employeeType=chief)) write
This syntax is not valid.
If I have read the manpage correctly, I can't do it with a filter. Is there any way to get this behavior ?
If access depends on values in the "what", use filter="<your filter>" in the "what" clause; if access depends on values in the "who", use sets; in your case, something like
access to dn="cn=foo,ou=groups,dc=example,dc=com" attrs=cn,description,memberUid,entry by set="[ldap:///ou=people,dc=example,dc=com?1.1?sub?(&(objectClass=inetOrgPerson)(employeeType=chief))]/entryDN & user" write
should work (note: indentation has probably been destroyed by my mailer).
It is not clear for me if the "dynacl" I saw in the manpage:
- can solve this problem
- are compulsory to solve it
Dynacl has nothing to do. In fact, dynacl is a mechanism that allows you to code access checking yourself, and plug it in as a run-time loadable object. So, by itself, it would allow a lot of freedom, provided you can wirte the code that does what you mean.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
Hi, (I've enabled long lines without wrapping)
Pierangelo Masarati a écrit :
if access depends on values in the "who", use sets; in your case, something like
access to dn="cn=foo,ou=groups,dc=example,dc=com" attrs=cn,description,memberUid,entry by set="[ldap:///ou=people,dc=example,dc=com?1.1?sub?(&(objectClass=inetOrgPerson)(employeeType=chief))]/entryDN & user" write
wow ! no chance I could find that on my own, especially because the slapd.access manpage says « The statement set=<pattern> is undocumented yet. » :-)
should work (note: indentation has probably been destroyed by my mailer).
no, it doesn't work :-( precisely, in slapd.conf, I've added:
access to dn.children="ou=groupes,dc=domain" attrs=cn,description,memberUid,entry by dn="cn=adminLDAP,dc=domain" write by set="[ldap:///ou=personnes,dc=domain?1.1?sub?(&(objectClass=iremLillePerson)(groupesTravail=1200))]/entryDN & user" write by users read
iremLillePerson = inetOrgPerson + groupesTravail(multi-valued) 1200 = value of the attribute for which I want to give write access.
when I give an explicit: by dn="cn=name,ou=personnes,dc=domain" instead of the set clause, it works.
any idea ?
Dynacl has nothing to do.
ok, thanks for making this clear.
Fabrice Eudes wrote:
Pierangelo Masarati a écrit :
if access depends on values in the "who", use sets; in your case, something like
access to dn="cn=foo,ou=groups,dc=example,dc=com" attrs=cn,description,memberUid,entry by set="[ldap:///ou=people,dc=example,dc=com?1.1?sub?(&(objectClass=inetOrgPerson)(employeeType=chief))]/entryDN & user" write
wow ! no chance I could find that on my own, especially because the slapd.access manpage says « The statement set=<pattern> is undocumented yet. » :-)
The only documentation is in http://www.openldap.org/faq/data/cache/1133.html.
should work (note: indentation has probably been destroyed by my mailer).
no, it doesn't work :-( precisely, in slapd.conf, I've added:
access to dn.children="ou=groupes,dc=domain" attrs=cn,description,memberUid,entry by dn="cn=adminLDAP,dc=domain" write by set="[ldap:///ou=personnes,dc=domain?1.1?sub?(&(objectClass=iremLillePerson)(groupesTravail=1200))]/entryDN & user" write by users read
iremLillePerson = inetOrgPerson + groupesTravail(multi-valued) 1200 = value of the attribute for which I want to give write access.
when I give an explicit: by dn="cn=name,ou=personnes,dc=domain" instead of the set clause, it works.
My fault (and a bug in the code): remove the "1.1", leaving the "attrs" field of the URI empty.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
Hi,
Pierangelo Masarati a écrit :
The only documentation is in http://www.openldap.org/faq/data/cache/1133.html.
yes. I found it a few minutes ago, thanks for the tip.
My fault (and a bug in the code): remove the "1.1", leaving the "attrs" field of the URI empty.
I tried this but still can't get it to work :-(
set="[ldap:///ou=personnes,dc=domain??sub?(&(objectClass=iremLillePerson)(groupesTravail=1200))]/entryDN & user" write
fails
set="[ldap:///ou=personnes,dc=domain??sub?(&(objectClass=iremLillePerson)(groupesTravail=1200))]/entryDN" write
fails
by dn="cn=chief,ou=personnes,dc=domain"
where groupesTravail of cn=chief contains the value 1200.
I checked that the filter part is fine.
don't know what to do next... :-(
Fabrice Eudes wrote:
I tried this but still can't get it to work :-(
set="[ldap:///ou=personnes,dc=domain??sub?(&(objectClass=iremLillePerson)(groupesTravail=1200))]/entryDN & user" write
fails
set="[ldap:///ou=personnes,dc=domain??sub?(&(objectClass=iremLillePerson)(groupesTravail=1200))]/entryDN" write
fails
by dn="cn=chief,ou=personnes,dc=domain"
where groupesTravail of cn=chief contains the value 1200.
I checked that the filter part is fine.
don't know what to do next... :-(
Of course, the user needs to have "search" access to the entry, the attributes and values that are used in the filter... in your case, to attrs entry, objectClass and groupesTravail of the user object.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
Pierangelo Masarati wrote:
My fault (and a bug in the code): remove the "1.1", leaving the "attrs" field of the URI empty.
Leaving the "attrs" field empty should do the trick. In the meanwhile, a fix is in HEAD (ITS#5384).
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
Pierangelo Masarati wrote:
Fabrice Eudes wrote:
Pierangelo Masarati a écrit :
if access depends on values in the "who", use sets; in your case, something like
access to dn="cn=foo,ou=groups,dc=example,dc=com" attrs=cn,description,memberUid,entry by set="[ldap:///ou=people,dc=example,dc=com?1.1?sub?(&(objectClass=inetOrgPerson)(employeeType=chief))]/entryDN & user" write
wow ! no chance I could find that on my own, especially because the slapd.access manpage says « The statement set=<pattern> is undocumented yet. » :-)
The only documentation is in http://www.openldap.org/faq/data/cache/1133.html.
We have 2 complete examples and docs waiting in:
(ITS#5281) doc contribution - set examples - following references
I just haven't decided where they should go...whether in the slapd* sections or a new ACL section. I prefer the later.
openldap-software@openldap.org
-
Fabrice Eudes -
Gavin Henry -
Pierangelo Masarati -
Tobias Franzén