Hi all,
I am runing an openldap 2.4.7 on debian with small local schema modifications: a few more attributes and an objectClass derived from inetOrgPerson.
I have looked in the administrator's guide and the slapd.access manpage but I can't figure out how to do the following: I want to give write access depending on the value of an attribute.
something like: access to dn="cn=foo,ou=groups,dc=example,dc=com" attrs=cn,description,memberUid,entry by (&(objectClass=inetOrgPerson)(employeeType=chief)) write
If I have read the manpage correctly, I can't do it with a filter. Is there any way to get this behavior ?
It is not clear for me if the "dynacl" I saw in the manpage: - can solve this problem - are compulsory to solve it
any help ? example ?
thanks.
an attribute in the target (the "what") or in the user (the "who")?
This syntax is not valid.
If I have read the manpage correctly, I can't do it with a filter. Is there any way to get this behavior ?
If access depends on values in the "what", use filter="<your filter>" in the "what" clause; if access depends on values in the "who", use sets; in your case, something like
access to dn="cn=foo,ou=groups,dc=example,dc=com" attrs=cn,description,memberUid,entry by set="[ldap:///ou=people,dc=example,dc=com?1.1?sub?(&(objectClass=inetOrgPerson)(employeeType=chief))]/entryDN & user" write
should work (note: indentation has probably been destroyed by my mailer).
Dynacl has nothing to do. In fact, dynacl is a mechanism that allows you to code access checking yourself, and plug it in as a run-time loadable object. So, by itself, it would allow a lot of freedom, provided you can wirte the code that does what you mean.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
Hi, (I've enabled long lines without wrapping)
Pierangelo Masarati a écrit :
wow ! no chance I could find that on my own, especially because the slapd.access manpage says « The statement set=<pattern> is undocumented yet. » :-)
should work (note: indentation has probably been destroyed by my mailer).
no, it doesn't work :-( precisely, in slapd.conf, I've added:
iremLillePerson = inetOrgPerson + groupesTravail(multi-valued) 1200 = value of the attribute for which I want to give write access.
when I give an explicit: by dn="cn=name,ou=personnes,dc=domain" instead of the set clause, it works.
any idea ?
Dynacl has nothing to do.
ok, thanks for making this clear.
Fabrice Eudes wrote:
The only documentation is in http://www.openldap.org/faq/data/cache/1133.html.
My fault (and a bug in the code): remove the "1.1", leaving the "attrs" field of the URI empty.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
Hi,
Pierangelo Masarati a écrit :
The only documentation is in http://www.openldap.org/faq/data/cache/1133.html.
yes. I found it a few minutes ago, thanks for the tip.
My fault (and a bug in the code): remove the "1.1", leaving the "attrs" field of the URI empty.
I tried this but still can't get it to work :-(
set="[ldap:///ou=personnes,dc=domain??sub?(&(objectClass=iremLillePerson)(groupesTravail=1200))]/entryDN & user" write
fails
set="[ldap:///ou=personnes,dc=domain??sub?(&(objectClass=iremLillePerson)(groupesTravail=1200))]/entryDN" write
fails
by dn="cn=chief,ou=personnes,dc=domain"
where groupesTravail of cn=chief contains the value 1200.
I checked that the filter part is fine.
don't know what to do next... :-(
Fabrice Eudes wrote:
Of course, the user needs to have "search" access to the entry, the attributes and values that are used in the filter... in your case, to attrs entry, objectClass and groupesTravail of the user object.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
Pierangelo Masarati wrote:
My fault (and a bug in the code): remove the "1.1", leaving the "attrs" field of the URI empty.
Leaving the "attrs" field empty should do the trick. In the meanwhile, a fix is in HEAD (ITS#5384).
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
Pierangelo Masarati wrote:
We have 2 complete examples and docs waiting in:
(ITS#5281) doc contribution - set examples - following references
I just haven't decided where they should go...whether in the slapd* sections or a new ACL section. I prefer the later.
openldap-software@openldap.org
-
Fabrice Eudes -
Gavin Henry -
Pierangelo Masarati -
Tobias Franzén