Hello everybody,
I am in need of a good advice. I have a problematic spot in my ACL and so far i can not figure out what to do with it.
This is what needs to be accomplished:
an Entry has attribute uofsGroupRole that may contain values like : uid=some_user, ou=nsids,ou=people,dc=usask,dc=ca:some_role
only user with matching uid may see this attribute and its value.
I tried : access to attrs=uofsGroupRole val.regex="uid=([^,]+),ou=nsids,ou=people,dc=usask,dc=ca.*$" by dn.regex="uid=$1,ou=nsids,ou=people,dc=usask,dc=ca$" read
And it did not work as required. I know the problem in regex, but I can not find it. Any suggestions are greatly appreciated.
Cheers
On Tue, Apr 13, 2010 at 10:38:37AM -0600, Sergiy Stepanenko wrote:
an Entry has attribute uofsGroupRole that may contain values like : uid=some_user, ou=nsids,ou=people,dc=usask,dc=ca:some_role
only user with matching uid may see this attribute and its value.
I tried : access to attrs=uofsGroupRole val.regex="uid=([^,]+),ou=nsids,ou=people,dc=usask,dc=ca.*$" by dn.regex="uid=$1,ou=nsids,ou=people,dc=usask,dc=ca$" read
And it did not work as required. I know the problem in regex, but I can not find it.
The final dollar sign in the 'by' clause needs to be escaped with a second dollar sign - like this example from the slapd.access manpage:
access to dn.regex="^(.+,)?uid=([^,]+),dc=[^,]+,dc=com$" by dn.regex="^uid=$2,dc=[^,]+,dc=com$$" write
In your case, you could probably simplify the 'by' clause like this:
access to attrs=uofsGroupRole val.regex="uid=([^,]+),ou=nsids,ou=people,dc=usask,dc=ca.*$" by dn.exact,expand="uid=$1,ou=nsids,ou=people,dc=usask,dc=ca" read
Make sure that you have a rule that will deny access to other users.
Andrew
On 04/14/2010 12:35 PM, Andrew Findlay wrote:
On Tue, Apr 13, 2010 at 10:38:37AM -0600, Sergiy Stepanenko wrote:
an Entry has attribute uofsGroupRole that may contain values like : uid=some_user, ou=nsids,ou=people,dc=usask,dc=ca:some_role
only user with matching uid may see this attribute and its value.
I tried : access to attrs=uofsGroupRole val.regex="uid=([^,]+),ou=nsids,ou=people,dc=usask,dc=ca.*$" by dn.regex="uid=$1,ou=nsids,ou=people,dc=usask,dc=ca$" read
And it did not work as required. I know the problem in regex, but I can not find it.
The final dollar sign in the 'by' clause needs to be escaped with a second dollar sign - like this example from the slapd.access manpage:
access to dn.regex="^(.+,)?uid=([^,]+),dc=[^,]+,dc=com$" by dn.regex="^uid=$2,dc=[^,]+,dc=com$$" write
In your case, you could probably simplify the 'by' clause like this:
access to attrs=uofsGroupRole val.regex="uid=([^,]+),ou=nsids,ou=people,dc=usask,dc=ca.*$" by dn.exact,expand="uid=$1,ou=nsids,ou=people,dc=usask,dc=ca" read
Thank you. I will test it today and will be back with a result. It is a shame I had not noticed such a thing...
Make sure that you have a rule that will deny access to other users.
Andrew
Hi Andrew I finally figured it out and here is what I did:
ACL ----- access to attrs=uofsGroupRole val.regex="^([^:]+):.+$" by dn.exact,expand="${v1}" read by * none
Only attribute that contains users' dn within its value is available to said user. It works exactly the way I want it. Only difference from documentation is "${v1}" which explained here: http://www.openldap.org/lists/openldap-bugs/200811/msg00078.html if you are interested...
Thank you for your response, Cheers
On 04/14/2010 12:35 PM, Andrew Findlay wrote:
On Tue, Apr 13, 2010 at 10:38:37AM -0600, Sergiy Stepanenko wrote:
an Entry has attribute uofsGroupRole that may contain values like : uid=some_user, ou=nsids,ou=people,dc=usask,dc=ca:some_role
only user with matching uid may see this attribute and its value.
I tried : access to attrs=uofsGroupRole val.regex="uid=([^,]+),ou=nsids,ou=people,dc=usask,dc=ca.*$" by dn.regex="uid=$1,ou=nsids,ou=people,dc=usask,dc=ca$" read
And it did not work as required. I know the problem in regex, but I can not find it.
The final dollar sign in the 'by' clause needs to be escaped with a second dollar sign - like this example from the slapd.access manpage:
access to dn.regex="^(.+,)?uid=([^,]+),dc=[^,]+,dc=com$" by dn.regex="^uid=$2,dc=[^,]+,dc=com$$" write
In your case, you could probably simplify the 'by' clause like this:
access to attrs=uofsGroupRole val.regex="uid=([^,]+),ou=nsids,ou=people,dc=usask,dc=ca.*$" by dn.exact,expand="uid=$1,ou=nsids,ou=people,dc=usask,dc=ca" read
Make sure that you have a rule that will deny access to other users.
Andrew
Hi Andrew I finally figured it out and here is what I did:
ACL
access to attrs=uofsGroupRole val.regex="^([^:]+):.+$" by dn.exact,expand="${v1}" read by * none
Only attribute that contains users' dn within its value is available to said user. It works exactly the way I want it. Only difference from documentation is "${v1}" which explained here: http://www.openldap.org/lists/openldap-bugs/200811/msg00078.html if you are interested...
I've documented this feature in slapd.access(5), as part of ITS#5804.
Thanks, p.
openldap-software@openldap.org