Florian Best wrote:
- How to allow the creation of objects with a specific objectclass only?
http://www.openldap.org/faq/data/cache/1474.html
The FAQ-O-MATIC does not look fancy but contains lots of useful access control examples.
All of the following examples aren't doing their job when *creating* an entry.
You probably need "add_content_acl yes" as mentioned in the FAQ above.
Some further suggestions for the development are:
- It would reduce a lot of redundancy if multiple "to" statements could
be used in one ACL definition (so that the different by clauses doesn't always need to be copied).
Or you could use templating provided with ansible/puppet/saltstack/chef...
- If the "by" clause would also have a filter="" one wouldn't need to
use "set"s anymore - sets are slower and doesn't even work with all things (e.g. if you have special characters in the DN).
Are you aware that you can have hex-escaped bytes in DN string representations?
There is no way to escape "]" / "[" and urlencode things which are e.g. used in a LDAP URI filter. This can even lead to security issues.
Do you have a detailed example?
- ACL rules can't be bound to the ldap operation (search, auth, add,
modify, delete, ...), you can only remove e.g. some of the permission bits (e.g. access to if-operation="search" ...)
Setting the privileges is IMO sufficient.
- Using backreferences of the DN in the filter="" or attrs="" would also
be very handy (how to restrict e.g. the "uid" value to be only what's in the DN of the target/operating user?)
Use set-based constraints. In general slapo-constraint is your fried for constraining attribute values.
Ciao, Michael.