Re: ACL in dynamic configuration

Nick Milas wrote: *You do not like this:* dn: olcDatabase={-1}frontend,cn=config olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by * break olcAccess: {1}to dn.exact="" by * read olcAccess: {2}to dn.base="cn=Subschema" by * read *but prefer something like this:* dn: olcDatabase={-1}frontend,cn=config olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break olcAccess: to dn.exact="" by * read olcAccess: to dn.base="cn=Subschema" by * read I think it is legible. And the openldap ldif parser is still happy. The quite old streamline editor sed helps. #!/bin/sed -rf # Author: Harry Jede # produce human readable but still machine parseable # olcAccess lines and removes the ordering numbers in {} # because humans don't need them, really. # the hole script s/^(olcAccess: )\{[[:digit:]]+\}(.*$)/\1\2/ $!{H;d} ${H;g;s/\n //g;s/[[:space:]]+by /\n by /g} Use the script at your own risk! I have written it some month ago and it works for me. I do not cover that an entry in an ACL has the keyword *by* in the DN. Something like this: "cn=produced by company,dc=example,dc=com" Usage examples on a Debian system: a) small data # ldapsearch -LLLY external -H ldapi:/// -b 'olcDatabase={1}monitor,cn=config' 'olcaccess=*' olcaccess 2>/dev/null|fmt_olcAccess dn: olcDatabase={1}monitor,cn=config olcAccess: to * by dn.exact="cn=admin,dc=delixs-schule,dc=de" read by set="[cn=admin,dc=delixs-schule,dc=de]/roleOccupant/member & user" read by * none b) mouch more data slapcat -n0 |fmt_olcAccess |less -- Harry Jede