1:02 p.m.
Hi all,
I am runing an openldap 2.4.7 on debian with small local schema
modifications: a few more attributes and an objectClass derived from
inetOrgPerson.
I have looked in the administrator's guide and the slapd.access manpage
but I can't figure out how to do the following: I want to give write
access depending on the value of an attribute.
something like:
access to dn="cn=foo,ou=groups,dc=example,dc=com"
attrs=cn,description,memberUid,entry
by (&(objectClass=inetOrgPerson)(employeeType=chief)) write
If I have read the manpage correctly, I can't do it with a filter. Is
there any way to get this behavior ?
It is not clear for me if the "dynacl" I saw in the manpage:
- can solve this problem
- are compulsory to solve it
any help ? example ?
thanks.
--
Fabrice Eudes -o)
Clé PGP 88AC3A66 /\\
Utilisateur Linux n°245401 _\_V
Tel 09 50 77 73 78
Fax 09 55 77 73 78
2:30 p.m.
Fabrice Eudes wrote:
Hi all,
I am runing an openldap 2.4.7 on debian with small local schema
modifications: a few more attributes and an objectClass derived from
inetOrgPerson.
I have looked in the administrator's guide and the slapd.access
manpage but I can't figure out how to do the following: I want to give
write access depending on the value of an attribute.
something like:
access to dn="cn=foo,ou=groups,dc=example,dc=com"
attrs=cn,description,memberUid,entry
by (&(objectClass=inetOrgPerson)(employeeType=chief)) write
If I have read the manpage correctly, I can't do it with a filter. Is
there any way to get this behavior ?
It is not clear for me if the "dynacl" I saw in the manpage:
- can solve this problem
- are compulsory to solve it
any help ? example ?
thanks.
I am not sure how to do exactly what you ask, but an alternative would
be to use the "group" <who> clause.
If all your "chiefs" are in a common group, just add:
by group.exact="cn=Chiefs,ou=Groups,dc=example,dc=com" write
/Tobias
12:09 a.m.
Hi all,
I am runing an openldap 2.4.7 on debian with small local schema
modifications: a few more attributes and an objectClass derived from
inetOrgPerson.
I have looked in the administrator's guide and the slapd.access manpage
but I can't figure out how to do the following: I want to give write
access depending on the value of an attribute.
an attribute in the target (the "what") or in the user (the "who")?
something like:
access to dn="cn=foo,ou=groups,dc=example,dc=com"
attrs=cn,description,memberUid,entry
by (&(objectClass=inetOrgPerson)(employeeType=chief)) write
This syntax is not valid.
If I have read the manpage correctly, I can't do it with a
filter. Is
there any way to get this behavior ?
If access depends on values in the "what", use filter="<your
filter>" in
the "what" clause; if access depends on values in the "who", use sets;
in
your case, something like
access to dn="cn=foo,ou=groups,dc=example,dc=com"
attrs=cn,description,memberUid,entry
by
set="[ldap:///ou=people,dc=example,dc=com?1.1?sub?(&(objectClass=inetOrgPerson)(employeeType=chief))]/entryDN
& user" write
should work (note: indentation has probably been destroyed by my mailer).
It is not clear for me if the "dynacl" I saw in the
manpage:
- can solve this problem
- are compulsory to solve it
Dynacl has nothing to do. In fact, dynacl is a mechanism that allows you
to code access checking yourself, and plug it in as a run-time loadable
object. So, by itself, it would allow a lot of freedom, provided you can
wirte the code that does what you mean.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: pierangelo.masarati(a)sys-net.it
---------------------------------------
6:34 a.m.
Hi,
(I've enabled long lines without wrapping)
Pierangelo Masarati a écrit :
if access depends on values in the "who", use sets; in your
case,
something like
access to dn="cn=foo,ou=groups,dc=example,dc=com"
attrs=cn,description,memberUid,entry by
set="[ldap:///ou=people,dc=example,dc=com?1.1?sub?(&(objectClass=inetOrgPerson)(employeeType=chief))]/entryDN
& user" write
wow ! no chance I could find that on my own, especially
because the
slapd.access manpage says « The statement set=<pattern> is undocumented
yet. » :-)
should work (note: indentation has probably been destroyed by my
mailer).
no, it doesn't work :-(
precisely, in slapd.conf, I've added:
access to dn.children="ou=groupes,dc=domain"
attrs=cn,description,memberUid,entry
by dn="cn=adminLDAP,dc=domain" write
by
set="[ldap:///ou=personnes,dc=domain?1.1?sub?(&(objectClass=iremLillePerson)(groupesTravail=1200))]/entryDN
& user" write
by users read
iremLillePerson = inetOrgPerson +
groupesTravail(multi-valued)
1200 = value of the attribute for which I want to give write access.
when I give an explicit:
by dn="cn=name,ou=personnes,dc=domain"
instead of the set clause, it works.
any idea ?
Dynacl has nothing to do.
ok, thanks for making this clear.
--
Fabrice Eudes -o)
Clé PGP 88AC3A66 /\\
Utilisateur Linux n°245401 _\_V
Tel 09 50 77 73 78
Fax 09 55 77 73 78
12:57 p.m.
Fabrice Eudes wrote:
Pierangelo Masarati a écrit :
> if access depends on values in the "who", use sets; in your case,
> something like
>
> access to dn="cn=foo,ou=groups,dc=example,dc=com"
> attrs=cn,description,memberUid,entry by
>
set="[ldap:///ou=people,dc=example,dc=com?1.1?sub?(&(objectClass=inetOrgPerson)(employeeType=chief))]/entryDN
> & user" write
wow ! no chance I could find that on my own, especially because the
slapd.access manpage says « The statement set=<pattern> is undocumented
yet. » :-)
The only documentation is in
<http://www.openldap.org/faq/data/cache/1133.html>;.
> should work (note: indentation has probably been destroyed by my
> mailer).
no, it doesn't work :-(
precisely, in slapd.conf, I've added:
> access to dn.children="ou=groupes,dc=domain"
> attrs=cn,description,memberUid,entry
> by dn="cn=adminLDAP,dc=domain" write
> by
>
set="[ldap:///ou=personnes,dc=domain?1.1?sub?(&(objectClass=iremLillePerson)(groupesTravail=1200))]/entryDN
> & user" write by users read
iremLillePerson = inetOrgPerson + groupesTravail(multi-valued)
1200 = value of the attribute for which I want to give write access.
when I give an explicit:
by dn="cn=name,ou=personnes,dc=domain"
instead of the set clause, it works.
My fault (and a bug in the code): remove the "1.1", leaving the
"attrs"
field of the URI empty.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: pierangelo.masarati(a)sys-net.it
---------------------------------------
1:36 p.m.
Hi,
Pierangelo Masarati a écrit :
The only documentation is in
<http://www.openldap.org/faq/data/cache/1133.html>;.
yes. I found it a few
minutes ago, thanks for the tip.
My fault (and a bug in the code): remove the "1.1", leaving
the "attrs"
field of the URI empty.
I tried this but still can't get it to work :-(
set="[ldap:///ou=personnes,dc=domain??sub?(&(objectClass=iremLillePerson)(groupesTravail=1200))]/entryDN
& user" write
fails
set="[ldap:///ou=personnes,dc=domain??sub?(&(objectClass=iremLillePerson)(groupesTravail=1200))]/entryDN"
write
fails
by dn="cn=chief,ou=personnes,dc=domain"
where
groupesTravail of cn=chief contains the value 1200.
I checked that the filter part is fine.
don't know what to do next... :-(
--
Fabrice Eudes -o)
Clé PGP 88AC3A66 /\\
Utilisateur Linux n°245401 _\_V
Tel 09 50 77 73 78
Fax 09 55 77 73 78
1:41 p.m.
Fabrice Eudes wrote:
I tried this but still can't get it to work :-(
>
set="[ldap:///ou=personnes,dc=domain??sub?(&(objectClass=iremLillePerson)(groupesTravail=1200))]/entryDN
> & user" write
fails
>
set="[ldap:///ou=personnes,dc=domain??sub?(&(objectClass=iremLillePerson)(groupesTravail=1200))]/entryDN"
> write
fails
> by dn="cn=chief,ou=personnes,dc=domain"
where groupesTravail of cn=chief contains the value 1200.
I checked that the filter part is fine.
don't know what to do next... :-(
Of course, the user needs to have "search" access to the entry, the
attributes and values that are used in the filter... in your case, to
attrs entry, objectClass and groupesTravail of the user object.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: pierangelo.masarati(a)sys-net.it
---------------------------------------
1:39 p.m.
Pierangelo Masarati wrote:
My fault (and a bug in the code): remove the "1.1", leaving
the "attrs"
field of the URI empty.
Leaving the "attrs" field empty should do the trick. In the meanwhile,
a fix is in HEAD (ITS#5384).
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: pierangelo.masarati(a)sys-net.it
---------------------------------------
12:16 p.m.
Pierangelo Masarati wrote:
Fabrice Eudes wrote:
> Pierangelo Masarati a écrit :
>> if access depends on values in the "who", use sets; in your case,
>> something like
>>
>> access to dn="cn=foo,ou=groups,dc=example,dc=com"
>> attrs=cn,description,memberUid,entry by
>>
set="[ldap:///ou=people,dc=example,dc=com?1.1?sub?(&(objectClass=inetOrgPerson)(employeeType=chief))]/entryDN
>> & user" write
> wow ! no chance I could find that on my own, especially because the
> slapd.access manpage says « The statement set=<pattern> is undocumented
> yet. » :-)
The only documentation is in
<http://www.openldap.org/faq/data/cache/1133.html>;.
We have 2 complete examples and docs waiting in:
(ITS#5281) doc contribution - set examples - following references
I just haven't decided where they should go...whether in the slapd*
sections or a new ACL section. I prefer the later.
--
Kind Regards,
Gavin Henry.
OpenLDAP Engineering Team.
E ghenry(a)OpenLDAP.org
Community developed LDAP software.
http://www.openldap.org/project/
5461
days inactive
5463
days old
openldap-software@openldap.org
8 comments
4 participants
participants (4)
-
Fabrice Eudes -
Gavin Henry -
Pierangelo Masarati -
Tobias Franzén