--On Tuesday, March 20, 2012 12:58 AM -0400 "David N. Blank-Edelman" dnb@ccs.neu.edu wrote:
To your original point: once those details are clear, I suspect it would be relatively straightforward to write a slapacl command/script that parsed the ACL .conf file format and then used Net::LDAP to twiddle cn=config on a specified server accordingly.
From one of my scripts, that adjust acls 3, 7, and 8 for anonymous vs user
only read access:
if($options{d}) { @acls=( '{3}to attrs=objectclass by dn.children="cn=admins,cn=zimbra" write by dn.base="uid=zmpostfix,cn=appaccts,cn=zimbra" read by dn.base="uid=zmamavis,cn=appaccts,cn=zimbra" read by users read by * none', '{7}to filter="(!(zimbraHideInGal=TRUE))" attrs=cn,co,company,dc,displayName,givenName,gn,initials,l,mail,o,ou,physicalDeliveryOfficeName,postalCode,sn,st,street,streetAddress,telephoneNumber,title,uid,homePhone,pager,mobile,userCertificate by dn.children="cn=admins,cn=zimbra" write by dn.base="uid=zmpostfix,cn=appaccts,cn=zimbra" read by users read by * none', '{8}to attrs=zimbraId,zimbraMailAddress,zimbraMailAlias,zimbraMailCanonicalAddress,zimbraMailCatchAllAddress,zimbraMailCatchAllCanonicalAddress,zimbraMailCatchAllForwardingAddress,zimbraMailDeliveryAddress,zimbraMailForwardingAddress,zimbraPrefMailForwardingAddress,zimbraMailHost,zimbraMailStatus,zimbraMailTransport,zimbraDomainName,zimbraDomainType,zimbraPrefMailLocalDeliveryDisabled by dn.children="cn=admins,cn=zimbra" write by dn.base="uid=zmpostfix,cn=appaccts,cn=zimbra" read by dn.base="uid=zmamavis,cn=appaccts,cn=zimbra" read by * none', ); }
if ($options{e}) { @acls=( '{3}to attrs=objectclass by dn.children="cn=admins,cn=zimbra" write by dn.base="uid=zmpostfix,cn=appaccts,cn=zimbra" read by dn.base="uid=zmamavis,cn=appaccts,cn=zimbra" read by * read', '{7}to filter="(!(zimbraHideInGal=TRUE))" attrs=cn,co,company,dc,displayName,givenName,gn,initials,l,mail,o,ou,physicalDeliveryOfficeName,postalCode,sn,st,street,streetAddress,telephoneNumber,title,uid,homePhone,pager,mobile,userCertificate by dn.children="cn=admins,cn=zimbra" write by dn.base="uid=zmpostfix,cn=appaccts,cn=zimbra" read by * read', '{8}to attrs=zimbraId,zimbraMailAddress,zimbraMailAlias,zimbraMailCanonicalAddress,zimbraMailCatchAllAddress,zimbraMailCatchAllCanonicalAddress,zimbraMailCatchAllForwardingAddress,zimbraMailDeliveryAddress,zimbraMailForwardingAddress,zimbraPrefMailForwardingAddress,zimbraMailHost,zimbraMailStatus,zimbraMailTransport,zimbraDomainName,zimbraDomainType,zimbraPrefMailLocalDeliveryDisabled by dn.children="cn=admins,cn=zimbra" write by dn.base="uid=zmpostfix,cn=appaccts,cn=zimbra" read by dn.base="uid=zmamavis,cn=appaccts,cn=zimbra" read by * read', ); }
$mesg = $ldap->modify( $dn, delete => {olcAccess => '{3}'}, ); $mesg = $ldap->modify( $dn, add =>{olcAccess=>"$acls[0]"}, ); $mesg = $ldap->modify( $dn, delete => {olcAccess => '{7}'}, ); $mesg = $ldap->modify( $dn, add => {olcAccess => "$acls[1]"}, ); $mesg = $ldap->modify( $dn, delete => {olcAccess => '{8}'}, ); $mesg = $ldap->modify( $dn, add =>{olcAccess=>"$acls[2]"}, ); $ldap->unbind;
Again, the ability to delete an existing acl by its ordering is invaluable. So is the ability to do inserts in the ACL tables based on the ordering number.
Here's another bit I've done to modify an existing ACL when upgrading between Zimbra versions:
my $entry=$result->entry($result->count-1); my @attrvals=$entry->get_value("olcAccess"); my $aclNumber=-1; my $attrMod="";
foreach my $attr (@attrvals) { if ($attr =~ /zimbraDomainName/) { ($aclNumber) = $attr =~ /^{(\d+)}*/; if ($attr !~ /uid=zmamavis,cn=appaccts,cn=zimbra/) { $attrMod=$attr; $attrMod =~ s/by * none/by dn.base="uid=zmamavis,cn=appaccts,cn=zimbra" read by * none/; } } }
if ($aclNumber != -1 && $attrMod ne "") { $result = $ldap->modify( $dn, delete => {olcAccess => "{$aclNumber}"}, ); $result = $ldap->modify( $dn, add =>{olcAccess=>"$attrMod"}, ); }
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration