Hello,
We need to configure recursive access control for groups in OpenLDAP server. I will describe in details. Currently we allow members of "System Administrator" group to modify specific attributes by defining an ACL:
access to attrs=employeeType,employeeNumber by self write *by group/groupOfUniqueNames/uniqueMember="cn=System Administrator,ou=groups,dc=domain,dc=com" write* by * read
The problem is that we need to handle also nested memberships. If some group is specified as a uniqueMember of "System Administrator" group, then access should be granted to all sub-group members and so on recursively. In the following example both users (user1 and user2) must be able to modify attributes:
dn: cn=System Administrator,ou=groups,dc=domain,dc=com uniqueMember: cn=user1,ou=users,dc=domain,dc=com uniqueMember: cn=Sub Group,ou=groups,dc=domain,dc=com
dn: cn=Sub Group,ou=groups,dc=domain,dc=com uniqueMember: cn=user2,ou=users,dc=domain,dc=com
It should be possible to create new group, add it as uniqueMember to "System Administrator" group and then all new group members automatically must be granted access to attributes.
I have found the following solution, which uses Sets syntax:
access to attrs=employeeType,employeeNumber by self write * by set="[cn=System Administrator,ou=groups,dc=domain,dc=com]/uniqueMember* & user" write* by * read
At first glance it worked as expected, but then problems started to appear... We have two OpenLDAP instances and now there are two different problems. *First instance* (2.3.38) - After including some group in "System Administrator" and performing some operations, then after some time OpenLDAP crashes! *Second instance* (2.3.27) - OpenLDAP doesn't crash, but operations (e.g. search) are very slow (un-acceptable)! I can provide more details if necessary.
So, my questions are: 1) Is ACL with subject: *by set="[cn=System Administrator,ou=groups,dc=domain,dc=com]/uniqueMember* & user" write* valid for our situation? 2) Maybe there is another way to achieve our goal (that would be easier to apply rather than investigating current problems)? 3) Could please somebody assist in problems with new configuration (crash on 1st instance and poor performance on 2nd) ? By the way, we are using quite advanced configuration, with ppolicy, refint, unique, accesslog overlays enabled. So probably there are dependencies or incompatibilities between them...
That is very urgent and critical for our project, we really need to solve this problem as soon as possible! Please help!!!
Thanks a lot in advance, Alina.
That is very urgent and critical for our project, we really need to solve this problem as soon as possible! Please help!!!
http://www.openldap.org/support/ for urgent things.
Most people on these lists use their spare time.
Gavin,
Thank you for reply and suggestion about support services! However, I'm looking forward that somebody from the list is familiar with sets syntax for defining an ACL and would be able to determine if ACL like this is correct:
*access to attrs=employeeType,employeeNumber by self write by set="[cn=System Administrator,ou=groups,dc=domain,dc=com]/uniqueMember* & user" write by * read*
So, we have a parent group (groupOfUniqueNames, "System Administrator") and all members should be granted access permission to modify specific attributes. Then we need to have ability to add new child groups in runtime, so that all child group members would be automatically granted the same set of permissions as parent group. Without modifying slapd.conf and restarting server of course.
Probably there is some important nuance with sets syntax or maybe there is any another alternative solution?
Because as I mentioned, with stated ACL we have performance issues on one OpenLDAP instance and fatal crash on another...
Regards, Alina.
On Dec 7, 2007 1:46 AM, Gavin Henry ghenry@suretecsystems.com wrote:
That is very urgent and critical for our project, we really need to solve this problem as soon as possible! Please help!!!
http://www.openldap.org/support/ for urgent things.
Most people on these lists use their spare time.
On Fri, Dec 07, 2007 at 10:27:04AM +0200, Alina Dubrovska wrote:
Gavin,
Thank you for reply and suggestion about support services! However, I'm looking forward that somebody from the list is familiar with sets syntax for defining an ACL and would be able to determine if ACL like this is correct:
*access to attrs=employeeType,employeeNumber by self write by set="[cn=System Administrator,ou=groups,dc=domain,dc=com]/uniqueMember* & user" write by * read*
So, we have a parent group (groupOfUniqueNames, "System Administrator") and all members should be granted access permission to modify specific attributes. Then we need to have ability to add new child groups in runtime, so that all child group members would be automatically granted the same set of permissions as parent group. Without modifying slapd.conf and restarting server of course.
Probably there is some important nuance with sets syntax or maybe there is any another alternative solution?
Because as I mentioned, with stated ACL we have performance issues on one OpenLDAP instance and fatal crash on another...
I used recursive groups once with sets, but not for enough time to measure the performance. Do you have all needed attributes properly indexed?
Also, it's usually advised against the use of uniqueMember and groupOfUniqueMembers for groups. Better to use groupOfNames and member instead. But I suppose it's not related to the crash.
openldap-software@openldap.org
-
Alina Dubrovska -
Andreas -
Gavin Henry