Re: ACL in dynamic configuration
--On Tuesday, December 27, 2011 6:03 PM +0200 Nick Milas
<nick(a)eurobjects.com> wrote:
Any advice on this, please ?
Thanks,
Nick
On 23/12/2011 12:23 πμ, Nick Milas wrote:
> Hello,
>
> I have converted from static (slapd.conf) to dynamic (cn=config)
> configuration using auto file conversion.
>
> I would like to ask a couple of questions regarding ACL conversion.
> Here follows one of the rules we have in initial form (a), and after
> conversion (b):
>
> (a)
> access to
> dn.subtree="dc=xxx.xxx.xxx.in-addr.arpa,ou=dns1,dc=example,dc=gr"
> attrs="children,entry"
> by group.exact="cn=TechAdmins,ou=Groups,dc=example,dc=gr" write
> by group.exact="cn=Dept1Admins,ou=Groups,dc=example,dc=gr" read
> by group.exact="cn=Dept2Admins,ou=Groups,dc=example,dc=gr" write
> by group.exact="cn=Dept3Admins,ou=Groups,dc=example,dc=gr" read
> by group.exact="cn=Dept4Admins,ou=Groups,dc=example,dc=gr" read
> by group.exact="cn=Dept5Admins,ou=Groups,dc=example,dc=gr" read
> by group.exact="cn=GuestAdmins,ou=Groups,dc=example,dc=gr" read
> by dn.exact="uid=dnsauthusr,ou=System,dc=example,dc=gr" read
> by * break
>
> (b) as an olcAccess attribute value:
> {10}to
> dn.subtree="dc=xxx.xxx.xxx.in-addr.arpa,ou=dns1,dc=example,dc=gr"
> attrs=children,entry by
> group/groupOfNames/member.exact="cn=techadmins,ou=groups,dc=example,dc=g
> r" write by
> group/groupOfNames/member.exact="cn=Dept1Admins,ou=groups,dc=example,dc=
> gr" read by
> group/groupOfNames/member.exact="cn=Dept2Admins,ou=groups,dc=example,dc=
> gr" write by
> group/groupOfNames/member.exact="cn=Dept3Admins,ou=groups,dc=example,dc=
> gr" read by
> group/groupOfNames/member.exact="cn=Dept4Admins,ou=groups,dc=example,dc=
> gr" read by
> group/groupOfNames/member.exact="cn=Dept5Admins,ou=groups,dc=example,dc=
> gr" read by
> group/groupOfNames/member.exact="cn=guestadmins,ou=groups,dc=example,dc=
> gr" read by dn.base="uid=dnsauthusr,ou=system,dc=example,dc=gr"
read
> by * +0 break
>
> Question 1.
> Why "group.exact" was changed to
"group/groupOfNames/member.exact" ?
> Yes, groups are defined as entries of groupOfNames objectClass, with
> members defined as values of attribute "member". But should it be like
> that? Should we change (manually) "group/groupOfNames/member.exact"
> back to "group.exact" again or not (and why)?
Read the slapd.access man page.
> Question 2.
> Is there a way we can add (manually, since conversion removed the ones
> which existed in initial configuration files) line breaks in olcAccess
> attribute value so it can be more legible (for administrative purposes)?
No, it is in LDIF format.
> Question 3.
> What is the "+0" added before "break" and why is needed?
See the slapd.access man page. Even if you never had it in slapd.conf, it
was always automatically added when slapd processed the configuration file.
--Quanah
--
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration