Re: Concerns with OLC (cn=config) for editing schema, ACLs, and deleting entries

Nick Milas wrote:

On 22/3/2012 3:56 μμ, Nick Milas wrote:

...

On 22/3/2012 2:20 μμ, btb wrote:

...

i press the enter key on my keyboard

Thanks,

Interestingly, I found that the same is also possible with JXPlorer.

ACLs can be formatted like that and they remain formated. They also function without problems.

Hi,

I am returning to an older thread, regarding the formatting of ACLs using Carriage Return (CRs) and spaces.

I have just realized that if we format (using CRs) ACLs stored as olcAccess attr values, then they are exported/stored as ldif in base64 encoded format (by all clients I tried).

Here is an example:

olcAccess: {25}to dn.subtree="ou=dns1,dc=noa,dc=gr" by group/groupOfNames/member.exact="cn=techadmins,ou=groups,dc=noa,dc=gr " write by group/groupOfNames/member.exact="cn=spaceadmins,ou=groups,dc=noa,dc=g r" read by group/groupOfNames/member.exact="cn=astroadmins,ou=groups,dc=noa,dc=g r" read by group/groupOfNames/member.exact="cn=geinadmins,ou=groups,dc=noa,dc=gr " read by group/groupOfNames/member.exact="cn=meteoadmins,ou=groups,dc=noa,dc=g r" read by group/groupOfNames/member.exact="cn=nestoradmins,ou=groups,dc=noa,dc= gr" read by group/groupOfNames/member.exact="cn=guestadmins,ou=groups,dc=noa,dc=g r" read by dn.base="uid=dnsauthusr,ou=system,dc=noa,dc=gr" read olcAccess:: ezI2fXRvIGRuLnN1YnRyZWU9Im91PWtyYmNvbnRhaW5lcixkYz1ub2EsZGM9Z3Ii

ICBhdHRycz1jaGlsZHJlbixlbnRyeQogICBieSBkbi5iYXNlPSJ1aWQ9ZG5zYXV0aHVz cixvdT1 zeXN0ZW0sZGM9bm9hLGRjPWdyIiBub25lICAKICAgYnkgZ3JvdXAvZ3JvdXBPZk5hbWV zL21lbW Jlci5leGFjdD0iY249dGVjaGFkbWlucyxvdT1ncm91cHMsZGM9bm9hLGRjPWdyIiB3cm l0ZSAgC iAgIGJ5IGdyb3VwL2dyb3VwT2ZOYW1lcy9tZW1iZXIuZXhhY3Q9ImNuPXNwYWNlYWRta W5zLG91 PWdyb3VwcyxkYz1ub2EsZGM9Z3IiIHJlYWQgIAogICBieSBncm91cC9ncm91cE9mTmFt ZXMvbWV tYmVyLmV4YWN0PSJjbj1hc3Ryb2FkbWlucyxvdT1ncm91cHMsZGM9bm9hLGRjPWdyIiB yZWFkIC AKICAgYnkgZ3JvdXAvZ3JvdXBPZk5hbWVzL21lbWJlci5leGFjdD0iY249Z2VpbmFkbW lucyxvd T1ncm91cHMsZGM9bm9hLGRjPWdyIiByZWFkICAKICAgYnkgZ3JvdXAvZ3JvdXBPZk5hb WVzL21l bWJlci5leGFjdD0iY249bWV0ZW9hZG1pbnMsb3U9Z3JvdXBzLGRjPW5vYSxkYz1nciIg cmVhZCA gCiAgIGJ5IGdyb3VwL2dyb3VwT2ZOYW1lcy9tZW1iZXIuZXhhY3Q9ImNuPW5lc3RvcmF kbWlucy xvdT1ncm91cHMsZGM9bm9hLGRjPWdyIiByZWFkICAKICAgYnkgZ3JvdXAvZ3JvdXBPZk 5hbWVzL 21lbWJlci5leGFjdD0iY249Z3Vlc3RhZG1pbnMsb3U9Z3JvdXBzLGRjPW5vYSxkYz1nc iIgcmVh ZCAgCiAgIGJ5IGRuLmJhc2U9InVpZD1hdXRoZW50aWNhdGUsb3U9c3lzdGVtLGRjPW5v YSxkYz1 nciIgcmVhZCAgCiAgIGJ5IGRuLmJhc2U9InVpZD1sb2dpbmF1dGhiaW5kLG91PXN5c3R lbSxkYz 1ub2EsZGM9Z3IiIHJlYWQgIAogICBieSBkbi5iYXNlPSJ1aWQ9a2RjLXNlcnZpY2Usb3 U9c3lzd GVtLGRjPW5vYSxkYz1nciIgcmVhZCAgCiAgIGJ5IGRuLmJhc2U9InVpZD1rcmItYWRtL XNlcnZp Y2Usb3U9c3lzdGVtLGRjPW5vYSxkYz1nciIgd3JpdGUgIAogICBieSAqICswIGJyZWFr

The former, ACL #25, was not formatted and is exported OK. However, the latter should be #26 and the actual value is as follows (copied from the GUI):

{26}to dn.subtree="ou=krbcontainer,dc=noa,dc=gr" attrs=children,entry by dn.base="uid=dnsauthusr,ou=system,dc=noa,dc=gr" none by group/groupOfNames/member.exact="cn=techadmins,ou=groups,dc=noa,dc=gr " write by group/groupOfNames/member.exact="cn=spaceadmins,ou=groups,dc=noa,dc=g r" read by group/groupOfNames/member.exact="cn=astroadmins,ou=groups,dc=noa,dc=g r" read by group/groupOfNames/member.exact="cn=geinadmins,ou=groups,dc=noa,dc=gr " read by group/groupOfNames/member.exact="cn=meteoadmins,ou=groups,dc=noa,dc=g r" read by group/groupOfNames/member.exact="cn=nestoradmins,ou=groups,dc=noa,dc= gr" read by group/groupOfNames/member.exact="cn=guestadmins,ou=groups,dc=noa,dc=g r" read by dn.base="uid=authenticate,ou=system,dc=noa,dc=gr" read by dn.base="uid=loginauthbind,ou=system,dc=noa,dc=gr" read by dn.base="uid=kdc-service,ou=system,dc=noa,dc=gr" read by dn.base="uid=krb-adm-service,ou=system,dc=noa,dc=gr" write by * +0 break

This actually is causing a serious problem (I would even call it a "*hell situation*"), because we can no more export/view our ACLs as ldif in a legible form. Moreover, we cannot edit this exported ldif and import it back to cover several editing needs.

I am pretty sure, that after you have added the '\n' you have broken the ldiff format. You may try '\n '.

Questions:

1. Is there a way we can export ldif, while automatically removing

such formatting so that the ldif content is legible/editable as normal text?

Best is you don't add additional characters. Here is a script to fix the output. It is based on what and how you have posted to this list. I have disabled "line breaks" in my mailer.

# t=$(echo "ezI2fXRvIGRuLnN1YnRyZWU9Im91PWtyYmNvbnRhaW5lcixkYz1ub2EsZGM9Z3Ii ICBhdHRycz1jaGlsZHJlbixlbnRyeQogICBieSBkbi5iYXNlPSJ1aWQ9ZG5zYXV0aHVzcixvdT1 zeXN0ZW0sZGM9bm9hLGRjPWdyIiBub25lICAKICAgYnkgZ3JvdXAvZ3JvdXBPZk5hbWVzL21lbW Jlci5leGFjdD0iY249dGVjaGFkbWlucyxvdT1ncm91cHMsZGM9bm9hLGRjPWdyIiB3cml0ZSAgC iAgIGJ5IGdyb3VwL2dyb3VwT2ZOYW1lcy9tZW1iZXIuZXhhY3Q9ImNuPXNwYWNlYWRtaW5zLG91 PWdyb3VwcyxkYz1ub2EsZGM9Z3IiIHJlYWQgIAogICBieSBncm91cC9ncm91cE9mTmFtZXMvbWV tYmVyLmV4YWN0PSJjbj1hc3Ryb2FkbWlucyxvdT1ncm91cHMsZGM9bm9hLGRjPWdyIiByZWFkIC AKICAgYnkgZ3JvdXAvZ3JvdXBPZk5hbWVzL21lbWJlci5leGFjdD0iY249Z2VpbmFkbWlucyxvd T1ncm91cHMsZGM9bm9hLGRjPWdyIiByZWFkICAKICAgYnkgZ3JvdXAvZ3JvdXBPZk5hbWVzL21l bWJlci5leGFjdD0iY249bWV0ZW9hZG1pbnMsb3U9Z3JvdXBzLGRjPW5vYSxkYz1nciIgcmVhZCA gCiAgIGJ5IGdyb3VwL2dyb3VwT2ZOYW1lcy9tZW1iZXIuZXhhY3Q9ImNuPW5lc3RvcmFkbWlucy xvdT1ncm91cHMsZGM9bm9hLGRjPWdyIiByZWFkICAKICAgYnkgZ3JvdXAvZ3JvdXBPZk5hbWVzL 21lbWJlci5leGFjdD0iY249Z3Vlc3RhZG1pbnMsb3U9Z3JvdXBzLGRjPW5vYSxkYz1nciIgcmVh ZCAgCiAgIGJ5IGRuLmJhc2U9InVpZD1hdXRoZW50aWNhdGUsb3U9c3lzdGVtLGRjPW5vYSxkYz1 nciIgcmVhZCAgCiAgIGJ5IGRuLmJhc2U9InVpZD1sb2dpbmF1dGhiaW5kLG91PXN5c3RlbSxkYz 1ub2EsZGM9Z3IiIHJlYWQgIAogICBieSBkbi5iYXNlPSJ1aWQ9a2RjLXNlcnZpY2Usb3U9c3lzd GVtLGRjPW5vYSxkYz1nciIgcmVhZCAgCiAgIGJ5IGRuLmJhc2U9InVpZD1rcmItYWRtLXNlcnZp Y2Usb3U9c3lzdGVtLGRjPW5vYSxkYz1nciIgd3JpdGUgIAogICBieSAqICswIGJyZWFr" |fmt_olcAccess |sed -ne 's/ //g;p'|base64 -d); echo "$t"|fmt_olcAccess

{26}to dn.subtree="ou=krbcontainer,dc=noa,dc=gr" attrs=children,entry by dn.base="uid=dnsauthusr,ou=system,dc=noa,dc=gr" none by group/groupOfNames/member.exact="cn=techadmins,ou=groups,dc=noa,dc=gr" write by group/groupOfNames/member.exact="cn=spaceadmins,ou=groups,dc=noa,dc=gr" read by group/groupOfNames/member.exact="cn=astroadmins,ou=groups,dc=noa,dc=gr" read by group/groupOfNames/member.exact="cn=geinadmins,ou=groups,dc=noa,dc=gr" read by group/groupOfNames/member.exact="cn=meteoadmins,ou=groups,dc=noa,dc=gr" read by group/groupOfNames/member.exact="cn=nestoradmins,ou=groups,dc=noa,dc=gr" read by group/groupOfNames/member.exact="cn=guestadmins,ou=groups,dc=noa,dc=gr" read by dn.base="uid=authenticate,ou=system,dc=noa,dc=gr" read by dn.base="uid=loginauthbind,ou=system,dc=noa,dc=gr" read by dn.base="uid=kdc-service,ou=system,dc=noa,dc=gr" read by dn.base="uid=krb-adm-service,ou=system,dc=noa,dc=gr" write by * +0 break

2. Is there a way (some command) to automatically

remove all CRs wherever they exist in olcAccess values, to avoid editing one by one (in order to remove all CRs)?

[Note: I have indications (though I have not tested sufficiently) that Apache Directory Studio may have problems in handling correctly ACL modifications when some of the olcAccess values are formatted as above. In one case I totally lost inexplicably all ACLs numbered higher than the olcAccess value I was editing. Just a word of caution, although I don't have enough test data at this time.]

Don't use tools for ACL-editing that don't work as expected. I use my self written sed-filter to beautify olcAccess lines.

# cat $(which fmt_olcAccess)

#!/bin/sed -rf # Author: Harry Jede # produce human readable but still machine parseable # olcAccess lines and removes the ordering numbers in {} # because humans don't need them, really.

# disable next line, if you like the numbering s/^(olcAccess: ){[[:digit:]]+}(.*$)/\1\2/ $!{H;d} # add more spaces after the second "\n" to have a greater indend # TWO spaces is the minimum for correct ldif format ${H;g;s/\n //g;s/[[:space:]]+by /\n by /g}

This script does not delete any additional characters.

Please advise!

Thanks, Nick