(raise question again) how to configure LDAP to allow each logged-in user to modify the subtree of the current user?
Dear list
I've posted this question before. Maybe it's my bad English but I didn't get a solution nor an answer of "it's impossible" too so I just post again (yes I knew people answer me for free and for being kind and I am really thankful for all feedback)
Is it possible to define ACL that every user who successfully bind-ed (logged in) that this user can modify their own entry as well as the sub entries of them?
e.g. dn: ou=support,xxx
if one connection is bind to this dn, it can modify these entries:
dn: cn=Wang Penghui,ou=support,xxx dn: cn=Zhang Weiwu,ou=support,xxx
Now we have some 3000 people who can login to the LDAP database and each are logged in as an entry which is organization or organizationalUnit. They all need to be able to modify entries within their own organization or organizationalUnit.
I know how to define one ACL rule for one to be able to modify an entry and its subtree, but in my case I need to define 3000 ACL rules (and this number is still growing). Can such permission requirement be defined within limited number of ACL rules?
Best Regards
<quote who="Zhang Weiwu">
Dear list
I've posted this question before. Maybe it's my bad English but I didn't get a solution nor an answer of "it's impossible" too so I just post again (yes I knew people answer me for free and for being kind and I am really thankful for all feedback)
Is it possible to define ACL that every user who successfully bind-ed (logged in) that this user can modify their own entry as well as the sub entries of them?
e.g. dn: ou=support,xxx
if one connection is bind to this dn, it can modify these entries:
dn: cn=Wang Penghui,ou=support,xxx dn: cn=Zhang Weiwu,ou=support,xxx
Now we have some 3000 people who can login to the LDAP database and each are logged in as an entry which is organization or organizationalUnit. They all need to be able to modify entries within their own organization or organizationalUnit.
I know how to define one ACL rule for one to be able to modify an entry and its subtree, but in my case I need to define 3000 ACL rules (and this number is still growing). Can such permission requirement be defined within limited number of ACL rules?
Just use regular expression (dn.regex) and capture the users cn, cn=(.*), and ou=support,(.*) then use $1 and $2.
man slapd.access
Best Regards
Zhang Weiwu Real Softservice http://www.realss.com +86 592 2091112
Zhang Weiwu writes:
Is it possible to define ACL that every user who successfully bind-ed (logged in) that this user can modify their own entry as well as the sub entries of them?
e.g. dn: ou=support,xxx
if one connection is bind to this dn, it can modify these entries:
dn: cn=Wang Penghui,ou=support,xxx dn: cn=Zhang Weiwu,ou=support,xxx
Something like this:
access to attrs=userPassword by self =wx by * auth
access to dn.regex="^(.+,)?(ou?=[^,]+,xxx)$" by dn.expand="$2" write by * read
Since you must first say what to access and then who should get access to it, this variant depends on getting the regex for who can access things exactly right.
This prevents 'ou' users from changing someone else's userPassword though. So you can put this at the top to combine the two accesses:
access to attrs=userPassword dn.regex="^(.+,)?(ou?=[^,]+,xxx)$" by self write by dn.expand="$2" write by * read
Or you could do something like this (untested):
access to * by * read break
access to dn.regex="^(.+,)?(ou?=[^,]+,xxx)$" by dn.expand="$2" write break by * +0 break
access to attrs=userPassword by self =wx by * -rscd
access to * by * +0
The 'break' means to go on and process the next access statements even when the 'to' matches the entry being accessed. '+' and '-' means to add or subtract from the access already granted. The final access matches everything and stops the default access rules to be used, so things done with 'break' does not get overridden unexpectedly.
On Tue, 2007-05-15 at 17:08 +0200, Hallvard B Furuseth wrote:
Zhang Weiwu writes:
Is it possible to define ACL that every user who successfully bind-ed (logged in) that this user can modify their own entry as well as the sub entries of them?
e.g. dn: ou=support,xxx
if one connection is bind to this dn, it can modify these entries:
dn: cn=Wang Penghui,ou=support,xxx dn: cn=Zhang Weiwu,ou=support,xxx
Something like this:
access to attrs=userPassword by self =wx by * auth
access to dn.regex="^(.+,)?(ou?=[^,]+,xxx)$" by dn.expand="$2" write by * read
Since you must first say what to access and then who should get access to it, this variant depends on getting the regex for who can access things exactly right.
This prevents 'ou' users from changing someone else's userPassword though. So you can put this at the top to combine the two accesses:
access to attrs=userPassword dn.regex="^(.+,)?(ou?=[^,]+,xxx)$" by self write by dn.expand="$2" write by * read
Or you could do something like this (untested):
access to * by * read break
access to dn.regex="^(.+,)?(ou?=[^,]+,xxx)$" by dn.expand="$2" write break by * +0 break
access to attrs=userPassword by self =wx by * -rscd
access to * by * +0
The 'break' means to go on and process the next access statements even when the 'to' matches the entry being accessed. '+' and '-' means to add or subtract from the access already granted. The final access matches everything and stops the default access rules to be used, so things done with 'break' does not get overridden unexpectedly.
Thanks very much for this very detailed and helpful answer! I think now I am very close to getting my system configured :)
openldap-software@openldap.org
-
Gavin Henry -
Hallvard B Furuseth -
Zhang Weiwu