Hello
The goal is to give access to a ressource based on two mandatory conditions.
I want user DN to match a rule, and attribute value to match another rule, which depends on the user
This yields me two rules. The first one allow a user that has a given ou in ouManager set to modify the authorizedService in this ou. I did not test the second one yet, but the idea is that the user has a serviceManager attribute telling which value of authorizedService he is allowed to set.
access to dn.regex="^uid=.+,ou=.+,o=home$" attrs=authorizedService by set.exact="user/ouManager & this/-1" write stop
access to attrs.regex=authorizedService val.regex="(.*)" by set="user/serviceManager & ${v1}" write stop
But I need to perform a AND between the two rules. How can that be done?
Emmanuel Dreyfus wrote:
Hello
The goal is to give access to a ressource based on two mandatory conditions.
I want user DN to match a rule, and attribute value to match another rule, which depends on the user
This yields me two rules. The first one allow a user that has a given ou in ouManager set to modify the authorizedService in this ou. I did not test the second one yet, but the idea is that the user has a serviceManager attribute telling which value of authorizedService he is allowed to set.
access to dn.regex="^uid=.+,ou=.+,o=home$" attrs=authorizedService by set.exact="user/ouManager& this/-1" write stop
access to attrs.regex=authorizedService val.regex="(.*)" by set="user/serviceManager& ${v1}" write stop
But I need to perform a AND between the two rules. How can that be done?
Concatenate the terms in the sets.
access to dn.regex="^uid=.+,ou=.+,o=home$" attrs=authorizedService val.regex=(.*) by set.expand="(user/ouManager + user/serviceManager) & (this/-1 + ${v1})" write
Howard Chu hyc@symas.com wrote:
Concatenate the terms in the sets.
access to dn.regex="^uid=.+,ou=.+,o=home$" attrs=authorizedService val.regex=(.*) by set.expand="(user/ouManager + user/serviceManager) & (this/-1 + ${v1})" write
I can't get ${v1} to be expanded. (OpenLDAP-2.4.13). Is it a bug (my fault, I implemented the feature), or did I miss something?
Is there a debug option to visualize sets, by the way?
Emmanuel Dreyfus wrote:
Howard Chu hyc@symas.com wrote:
Concatenate the terms in the sets.
access to dn.regex="^uid=.+,ou=.+,o=home$" attrs=authorizedService val.regex=(.*) by set.expand="(user/ouManager + user/serviceManager) & (this/-1 + ${v1})" write
I can't get ${v1} to be expanded. (OpenLDAP-2.4.13). Is it a bug (my fault, I implemented the feature), or did I miss something?
Your fault? I see code for expansion in place (although I didn't check whether it works as intended).
Is there a debug option to visualize sets, by the way?
with -d acl you get something.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
Pierangelo Masarati ando@sys-net.it wrote:
Your fault? I see code for expansion in place (although I didn't check whether it works as intended).
Indeed it seems I forgot one bit, in servers/slapd/acl.c:
if ( a->acl_attrval_style == ACL_STYLE_REGEX ) { Debug( LDAP_DEBUG_ACL, "acl_get: valpat %s\n", a->acl_attrval.bv_val, 0, 0 ); if ( regexec( &a->acl_attrval_re, val->bv_val, 0, NULL, 0 ) )
This regexec does not collect matches, I susepct this is the problem
with -d acl you get something.
Thanks. And -d acl,trace is even better, to get submatches expantion.
Emmanuel Dreyfus manu@netbsd.org wrote:
Indeed it seems I forgot one bit, in servers/slapd/acl.c:
if ( a->acl_attrval_style == ACL_STYLE_REGEX ) { Debug( LDAP_DEBUG_ACL, "acl_get: valpat %s\n", a->acl_attrval.bv_val, 0, 0 ); if ( regexec( &a->acl_attrval_re, val->bv_val, 0, NULL, 0 ) )
This regexec does not collect matches, I susepct this is the problem
And it has been fixed after 2.4.13, this is an already fixed bug. Cool.
openldap-software@openldap.org