Bogdan Rudas wrote:

> Hello all,

>

> I would like to start use of olcAccess rules, are there

> human-friendly editor for that ACLs?

Use any editor you wish. It is just text!

 

> I can't even use line breaks in ldif file to make my restrictions a

> bit more readable!

One can use line breaks, no problem. But understanding ldif file

syntax is important.

 

Often one have very long lines in ldif files.

 

A standard terminal has a width of 80 characters. Longer lines get

broken at charakter 78. 79 charakter is a newline "\n", 80 character

is one space " ". So the output you get looks like this:

 

line no text

1 "78 byte" + "\n"

2 "one space" + "next 78 bytes + "\n"

3 "one space" + "next 78 bytes + "\n"

 

This happens during a ldapsearch operation. If you upload this

ldif to a ldapserver these two bytes "\n " will be removed.

 

Conclusion:

One may add a newline to a ldif file by adding two characters

"\n + space". You may add as many newline you wish.

 

i.e.

 

open

l

a

p

 

becomes "openlap" after opload.

 

open

l

a

p

 

becomes "open l ap" after upload

 

> I strongly dislike very long string values, one

> day this will cause mistake and access violation.

>

> I've tried with Apache DS, ldif import and few puppet modules,

> everything require huge line ACL.

No, not really. They just require proper formated ldif input.

man ldif, section "ENTRY RECORD EXAMPLE", attribute jpegPhoto

 

> Any help will be welcome.

read this thread:

http://www.openldap.org/lists/openldap-technical/201402/threads.html#00105

 

here is a small filter which may help you:

 

# cat $(which fmt_olcAccess)

 

#!/bin/sed -rf

# Author: Harry Jede

# produce human readable but still machine parseable

# olcAccess lines and removes the ordering numbers in {}

# because humans don't need them, really.

 

# the hole script

s/^(olcAccess: )\{[[:digit:]]+\}(.*$)/\1\2/

$!{H;d}

${H;g;s/\n //g;s/[[:space:]]+by /\n by /g}

 

info sed explains the commands

in short

line 1: removes the ordering numbers

line 2: concatenate all lines into hold buffer

line 3: move hold buffer back to pattern buffer

s/\n //g delete any occurance of "\n "

finally search for " by" and add a

ldif line break in front of " by"

--

 

Harry Jede