Hi list.
I'm using openldap 2.3.35 to my mail user database, and I have this structure:
uid=user1,ou=People,dc=domain,dc=br
ou=ImpPrefs,uid=user1,ou=People,dc=domain,dc=br
cn=user1,ou=PersonalAddressBook,dc=domain,dc=br
I try to make ACLs to permit just "self" users to write, in his ImpPrefs and PersonalAddressBook, without success.
I did not find much examples of ACLs with regex, I try to do:
access to dn="^.*,uid=([^,]+),(.*),ou=People,dc=domain,dc=br" by dn="uid=$1,$2,ou=People,dc=domain,dc=br" write by * none
but this give me an error.
Somebody can help me?
Jeronimo Zucco escreveu:
Hi list.
I'm using openldap 2.3.35 to my mail user database, and I have this structure:
uid=user1,ou=People,dc=domain,dc=br
ou=ImpPrefs,uid=user1,ou=People,dc=domain,dc=br
cn=user1,ou=PersonalAddressBook,dc=domain,dc=br
I try to make ACLs to permit just "self" users to write, in his ImpPrefs and PersonalAddressBook, without success.
I did not find much examples of ACLs with regex, I try to do:
access to dn="^.*,uid=([^,]+),(.*),ou=People,dc=domain,dc=br" by dn="uid=$1,$2,ou=People,dc=domain,dc=br" write by * none
but this give me an error.
Somebody can help me?
Answer to my self:
access to dn.regex="^.*,uid=([^,]+),(.*),ou=People,dc=domain,dc=br$" by dn.exact,expand="uid=$1,$2,ou=People,dc=domain,dc=br" write by * none
I'm I right ?
Jeronimo Zucco wrote:
Jeronimo Zucco escreveu:
Hi list.
I'm using openldap 2.3.35 to my mail user database, and I have this structure:
uid=user1,ou=People,dc=domain,dc=br
ou=ImpPrefs,uid=user1,ou=People,dc=domain,dc=br
cn=user1,ou=PersonalAddressBook,dc=domain,dc=br
I try to make ACLs to permit just "self" users to write, in his ImpPrefs and PersonalAddressBook, without success.
I did not find much examples of ACLs with regex, I try to do:
access to dn="^.*,uid=([^,]+),(.*),ou=People,dc=domain,dc=br" by dn="uid=$1,$2,ou=People,dc=domain,dc=br" write by * none
but this give me an error.
Somebody can help me?
Answer to my self:
access to dn.regex="^.*,uid=([^,]+),(.*),ou=People,dc=domain,dc=br$" by dn.exact,expand="uid=$1,$2,ou=People,dc=domain,dc=br" write by * none
What about
access to dn.regex="^.*,(uid=[^,]+,.+,ou=People,dc=domain,dc=br)$" by dn.exact,expand="$1" write
? p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
On 5/14/07, Jeronimo Zucco jczucco@ucs.br wrote:
Hi list. I'm using openldap 2.3.35 to my mail user database, and I have thisstructure:
uid=user1,ou=People,dc=domain,dc=br
ou=ImpPrefs,uid=user1,ou=People,dc=domain,dc=br
cn=user1,ou=PersonalAddressBook,dc=domain,dc=br
I try to make ACLs to permit just "self" users to write, in his ImpPrefs and PersonalAddressBook, without success.
I did not find much examples of ACLs with regex, I try to do:
access to dn="^.*,uid=([^,]+),(.*),ou=People,dc=domain,dc=br" by dn="uid=$1,$2,ou=People,dc=domain,dc=br" write by * none
but this give me an error.
Hi Jeronimo,
Please try this:
access to dn.regex="^ou=ImpPrefs,uid=([^,]+),ou=People,dc=domain,dc=br$" attrs=children by dn.regex,expand="uid=$1,ou=people,dc=domain,dc=br" write by * none
access to dn.regex="^cn=([^,]+),ou=PersonalAddressBook,dc=domain,dc=br$" attrs=children by dn.regex,expand="uid=$1,ou=people,dc=domain,dc=br" write by * none
Sam
Sam Tran escreveu:
access to dn.regex="^ou=ImpPrefs,uid=([^,]+),ou=People,dc=domain,dc=br$" attrs=children by dn.regex,expand="uid=$1,ou=people,dc=domain,dc=br" write by * none
access to dn.regex="^cn=([^,]+),ou=PersonalAddressBook,dc=domain,dc=br$" attrs=children by dn.regex,expand="uid=$1,ou=people,dc=domain,dc=br" write by * none
Sam
Thanks for the help for everyone.
ImpPrefs works ok with:
access to dn.regex="^.*,uid=([^,]+),(.*),ou=People,dc=domain,dc=br$" by dn.exact,expand="uid=$1,$2,ou=People,dc=domain,dc=br" write by * none
But PersonalAddressBook still with problems.
With: access to dn.regex="^cn=([^,]+),ou=PersonalAddressBook,dc=domain,dc=br$" attrs=children by dn.regex,expand="uid=$1,ou=people,dc=domain,dc=br" write by * none
Everyone access PersonalAddressBook from others.
With: access to dn.regex="^.*,(uid=[^,]+,.+,ou=People,dc=domain,dc=br)$" by dn.exact,expand="$1" write
Is to much permissive, I guess.
I try also: access to dn.regex="ou=([^,]+),ou=PersonalAddressBook,dc=domain,dc=br$" by dn.exact,expand="uid=$1,.*" write by anonymous read
Not work.
access to dn.regex="^.*,ou=([^,]+),ou=PersonalAddressBook,dc=domain,dc=br$" by dn.exact,expand="uid=$1,.*" write by anonymous read
not work either :-(
This is an ACL mistery :-)
If you have more suggestions, I will apreciate.
Jeronimo Zucco wrote:
Sam Tran escreveu:
access to dn.regex="^ou=ImpPrefs,uid=([^,]+),ou=People,dc=domain,dc=br$" attrs=children by dn.regex,expand="uid=$1,ou=people,dc=domain,dc=br" write by * none
access to dn.regex="^cn=([^,]+),ou=PersonalAddressBook,dc=domain,dc=br$" attrs=children by dn.regex,expand="uid=$1,ou=people,dc=domain,dc=br" write by * none
Sam
Thanks for the help for everyone.
ImpPrefs works ok with:
access to dn.regex="^.*,uid=([^,]+),(.*),ou=People,dc=domain,dc=br$" by dn.exact,expand="uid=$1,$2,ou=People,dc=domain,dc=br" write by * none
But PersonalAddressBook still with problems.
With: access to dn.regex="^cn=([^,]+),ou=PersonalAddressBook,dc=domain,dc=br$" attrs=children by dn.regex,expand="uid=$1,ou=people,dc=domain,dc=br" write by * none
Everyone access PersonalAddressBook from others.
With: access to dn.regex="^.*,(uid=[^,]+,.+,ou=People,dc=domain,dc=br)$" by dn.exact,expand="$1" write
Is to much permissive, I guess.
Your guess is wrong. They're perfectly equivalent, but mine is much more efficient. But please, keep guessing...
I try also: access to dn.regex="ou=([^,]+),ou=PersonalAddressBook,dc=domain,dc=br$" by dn.exact,expand="uid=$1,.*" write by anonymous read
Not work.
access to dn.regex="^.*,ou=([^,]+),ou=PersonalAddressBook,dc=domain,dc=br$" by dn.exact,expand="uid=$1,.*" write by anonymous read
not work either :-(
This is an ACL mistery :-)
If you have more suggestions, I will apreciate.
What about a brute force approach, piping /dev/random into slapd.conf?
Or, try (please replace "dc=suffix" with your suffix; I had to use it otherwise my mailer would automatically wrap stuff)
# allow to write the "ou=ImPrefs" below self (must exist) access to dn.regex="^ou=ImPrefs,uid=([^,]+,ou=People,dc=suffix)$" by dn.exact,expand="uid=$2" write
# allow to create objects in one's addressbook (must exist) access to dn.regex="cn=([^,]+),ou=PersonalAddressBook,dc=suffix$" attrs=children by dn.exact,expand="uid=$1,ou=People,dc=suffix" write
# allow to create objects in one's addressbook access to dn.regex="(.+,)?cn=([^,]+),ou=PersonalAddressBook,dc=suffix$" by dn.exact,expand="uid=$2,ou=People,dc=suffix" write
I note that if you need to do something special, like allow a user to create the "ou=ImPrefs" entry, or the "cn=<uid>" entry in "ou=PersonalAddressBook,dc=suffix", then you'll need more rules to allow entry and children writing.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
Thanks for the help, Pierangelo, but still not working
Pierangelo Masarati escreveu:
What about a brute force approach, piping /dev/random into slapd.conf?
How can I do this ?
Or, try (please replace "dc=suffix" with your suffix; I had to use it otherwise my mailer would automatically wrap stuff)
# allow to write the "ou=ImPrefs" below self (must exist) access to dn.regex="^ou=ImPrefs,uid=([^,]+,ou=People,dc=suffix)$" by dn.exact,expand="uid=$2" write
This isn't work, user1reads ImPrefs from others users and can't write self ImPrefs. But my follow regex works fine:
access to dn.regex="^.*,uid=([^,]+),(.*),ou=People,dc=ucs,dc=br$" by dn.exact,expand="uid=$1,$2,ou=People,dc=ucs,dc=br" write by * none
# allow to create objects in one's addressbook (must exist) access to dn.regex="cn=([^,]+),ou=PersonalAddressBook,dc=suffix$" attrs=children by dn.exact,expand="uid=$1,ou=People,dc=suffix" write
# allow to create objects in one's addressbook access to dn.regex="(.+,)?cn=([^,]+),ou=PersonalAddressBook,dc=suffix$" by dn.exact,expand="uid=$2,ou=People,dc=suffix" write
I tried this and not work :-(
I tried also to adapt of my ldap estructure:
access to dn.regex="ou=([^,]+),cn=*,ou=PersonalAddressBook,dc=suffix$" by dn.exact,expand="uid=$1,*,ou=People,dc=ucs,dc=br" write
but not work. It's not so easy :-(
I note that if you need to do something special, like allow a user to create the "ou=ImPrefs" entry, or the "cn=<uid>" entry in "ou=PersonalAddressBook,dc=suffix", then you'll need more rules to allow entry and children writing.
None work yet. I set debug ACL in my slapd.conf and get this log when I try to change self personaladdressbook whit the ACL:
access to dn.regex="ou=([^,]+),cn=*,ou=PersonalAddressBook,dc=suffix$" by dn.exact,expand="uid=$1,*,ou=People,dc=ucs,dc=br" write
LOG: slapd[3497]: modifications: slapd[3497]: ^Ireplace: mail slapd[3497]: ^I^Ione value, length 14 slapd[3497]: conn=0 op=12 MOD dn="cn=foo bar,ou=user1,ou=PersonalAddressBook,dc=suffix" slapd[3497]: conn=0 op=12 MOD attr=mail slapd[3497]: bdb_dn2entry("cn=foo bar,ou=user1,ou=personaladdressbook,dc=suffix") slapd[3497]: bdb_modify: cn=foo bar,ou=user1,ou=PersonalAddressBook,dc=suffix slapd[3497]: bdb_dn2entry("cn=foo bar,ou=user1,ou=personaladdressbook,dc=suffix") slapd[3497]: bdb_modify_internal: 0x00021fa3: cn=foo bar,ou=user1,ou=PersonalAddressBook,dc=suffix slapd[3497]: => access_allowed: delete access to "cn=foo bar,ou=user1,ou=PersonalAddressBook,dc=suffix" "mail" requested slapd[3497]: => dnpat: [4] ^.*,uid=([^,]+),(.*),ou=People,dc=suffix$ nsub: 2 slapd[3497]: => dnpat: [5] ou=([^,]+),cn=*,ou=PersonalAddressBook,dc=suffix$ nsub: 1 slapd[3497]: => acl_get: [6] attr mail slapd[3497]: access_allowed: no res from state (mail) slapd[3497]: => acl_mask: access to entry "cn=foo bar,ou=user1,ou=PersonalAddressBook,dc=suffix", attr "mail" requested May 15 09:27:36 ops2 slapd[3497]: => acl_mask: to all values by "uid=user1,ou=npdu,ou=prad,ou=reit,ou=people,dc=suffix", (=0) slapd[3497]: <= check a_dn_pat: * slapd[3497]: <= acl_mask: [1] applying read(=rscxd) (stop) slapd[3497]: <= acl_mask: [1] mask: read(=rscxd) slapd[3497]: => access_allowed: delete access denied by read(=rscxd) slapd[3497]: bdb_modify: modify failed (50) slapd[3497]: send_ldap_result: conn=0 op=12 p=3 slapd[3497]: send_ldap_result: err=50 matched="" text="" slapd[3497]: send_ldap_response: msgid=13 tag=103 err=50 slapd[3497]: conn=0 op=12 RESULT tag=103 err=50 text=
If you have more suggestions, please let me know.
Now it is working, with the following ACL:
access to dn.regex="^cn=(.*),ou=([^,]+),ou=PersonalAddressBook,suffix$" by dn.regex="uid=$2,.*,ou=People,dc=suffix$" write
On Tuesday, 15 May 2007, Jeronimo Zucco wrote:
Now it is working, with the following ACL:
access to dn.regex="^cn=(.*),ou=([^,]+),ou=PersonalAddressBook,suffix$" by dn.regex="uid=$2,.*,ou=People,dc=suffix$" write
If this one works, it conflicts the the example user DNs you supplied (where you had a cn value in the user's addressbook container matching the uid naming attribute in their DN).
And, even if it does work, it is, as I noted on IRC, horribly insecure. Your users can not expect *any* privacy with this regex.
If you can't sanitise the DNs in your examples without confusing the issue, maybe you should post the real DNs, so that people help you with the problem you have, not the one you think you have ...
Regards, Buchan
Buchan Milne escreveu:
On Tuesday, 15 May 2007, Jeronimo Zucco wrote:
Now it is working, with the following ACL:
access to dn.regex="^cn=(.*),ou=([^,]+),ou=PersonalAddressBook,suffix$" by dn.regex="uid=$2,.*,ou=People,dc=suffix$" write
If this one works, it conflicts the the example user DNs you supplied (where you had a cn value in the user's addressbook container matching the uid naming attribute in their DN).
And, even if it does work, it is, as I noted on IRC, horribly insecure. Your users can not expect *any* privacy with this regex.
Yes, I'm working for migrate aplications to use PersonalAddressBook under the user entry. Until there, I will use this acls.
If you can't sanitise the DNs in your examples without confusing the issue, maybe you should post the real DNs, so that people help you with the problem you have, not the one you think you have ...
I'm sorry if I wasn't able to explain correct my structure, it was my fault. It wasn't my intention. Thank you for help to all.
<quote who="Jeronimo Zucco">
Hi list. I'm using openldap 2.3.35 to my mail user database, and I have thisstructure:
uid=user1,ou=People,dc=domain,dc=br
ou=ImpPrefs,uid=user1,ou=People,dc=domain,dc=br
cn=user1,ou=PersonalAddressBook,dc=domain,dc=br
I try to make ACLs to permit just "self" users to write, in his ImpPrefs and PersonalAddressBook, without success.
I did not find much examples of ACLs with regex, I try to do:
access to dn="^.*,uid=([^,]+),(.*),ou=People,dc=domain,dc=br" by dn="uid=$1,$2,ou=People,dc=domain,dc=br" write
Why $1 and $2?
I thought you said your users dn was:
uid=user1,ou=People,dc=domain,dc=br
by * nonebut this give me an error.
Somebody can help me?
-- Jeronimo Zucco LPIC-1 Linux Professional Institute Certified Núcleo de Processamento de Dados Universidade de Caxias do Sul
openldap-software@openldap.org
-
Buchan Milne -
Gavin Henry -
Jeronimo Zucco -
Pierangelo Masarati -
Sam Tran