I'm trying to set up access controls for the server. Here are the rules I am trying to impliment
olcAccess: {0}to attrs=userPassword,shadowLastChange by anonymous auth by self write by * none olcAccess: {1}to dn.regex="ou=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$" by dn.exact,expand="uid=$1,ou=People,dc=moores,dc=ca" write by * none olcAccess: {2}to dn.regex="ou=Contacts,cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by group.exact,expand="cn=$1,ou=Groups,dc=moores,dc=ca" write by * none olcAccess: {3}to dn.regex="cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by group.exact,expand="cn=Admin,cn=$1,ou=Groups,dc=moores,dc=ca" write by group="cn=Management,ou=Groups,dc=moores,dc=ca" write by users read olcAccess: {4}to dn.base="ou=Groups,dc=moores,dc=ca$" by group.exact="cn=Management,ou=Groups,dc=moores,dc=ca$" write by users read olcAccess: {5}to dn.base="ou=People,dc=moores,dc=ca$" by group.exact="cn=Management,ou=Groups,dc=moores,dc=ca$" write by users read olcAccess: {6}to * by users read by * none -
Basically I have groups, and within those groups I have Contact lists and administrators. I want the administrator to have write access, other members to have read access, and non members to have none.
This rule is what I think should work for that:
dn.regex="ou=Contacts,cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by group.exact,expand="cn=$1,ou=Groups,dc=moores,dc=ca" write by * none
I know this rule works for individual user contact lists:
dn.regex="ou=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$" by dn.exact,expand="uid=$1,ou=People,dc=moores,dc=ca" write by * none
I think the problem I am running into is having the <who> field as
group.exact,expand
Can I not do this? If not, is there any way to acheive the same result?
thanks, darryl
Darryl Moore wrote:
I'm trying to set up access controls for the server. Here are the rules I am trying to impliment
olcAccess: {0}to attrs=userPassword,shadowLastChange by anonymous auth by self write by * none olcAccess: {1}to dn.regex="ou=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$" by dn.exact,expand="uid=$1,ou=People,dc=moores,dc=ca" write by * none olcAccess: {2}to dn.regex="ou=Contacts,cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by group.exact,expand="cn=$1,ou=Groups,dc=moores,dc=ca" write by * none olcAccess: {3}to dn.regex="cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by group.exact,expand="cn=Admin,cn=$1,ou=Groups,dc=moores,dc=ca" write by group="cn=Management,ou=Groups,dc=moores,dc=ca" write by users read olcAccess: {4}to dn.base="ou=Groups,dc=moores,dc=ca$" by group.exact="cn=Management,ou=Groups,dc=moores,dc=ca$" write by users read olcAccess: {5}to dn.base="ou=People,dc=moores,dc=ca$" by group.exact="cn=Management,ou=Groups,dc=moores,dc=ca$" write by users read olcAccess: {6}to * by users read by * none
Basically I have groups, and within those groups I have Contact lists and administrators. I want the administrator to have write access, other members to have read access, and non members to have none.
This rule is what I think should work for that:
dn.regex="ou=Contacts,cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by group.exact,expand="cn=$1,ou=Groups,dc=moores,dc=ca" write by * none
I know this rule works for individual user contact lists:
dn.regex="ou=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$" by dn.exact,expand="uid=$1,ou=People,dc=moores,dc=ca" write by * none
I think the problem I am running into is having the <who> field as
group.exact,expand
Can I not do this? If not, is there any way to acheive the same result?
thanks, darryl
by ssf=128 set="[cn=admin,ou=groups,dc=domain,dc=tld]/member & user" write
->
any member of group 'admin' (groupOfNames) can write to...
I'm not sure if that's what you're trying to do.
Zdenek
Thanks, but not quite
if I have a group
cn=mygroup,ou=Groups,dc=....
then I also have a subgroup
cn=admin,cn=mygroup,ou=groups,dc=....
I want the members of the subgroup to have write access to the parent group, and the members of the parent group to only have read access.
Zdenek Styblik wrote:
Darryl Moore wrote:
I'm trying to set up access controls for the server. Here are the rules I am trying to impliment
olcAccess: {0}to attrs=userPassword,shadowLastChange by anonymous auth by self write by * none olcAccess: {1}to dn.regex="ou=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$" by dn.exact,expand="uid=$1,ou=People,dc=moores,dc=ca" write by * none olcAccess: {2}to dn.regex="ou=Contacts,cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by group.exact,expand="cn=$1,ou=Groups,dc=moores,dc=ca" write by * none olcAccess: {3}to dn.regex="cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by group.exact,expand="cn=Admin,cn=$1,ou=Groups,dc=moores,dc=ca" write by group="cn=Management,ou=Groups,dc=moores,dc=ca" write by users read olcAccess: {4}to dn.base="ou=Groups,dc=moores,dc=ca$" by group.exact="cn=Management,ou=Groups,dc=moores,dc=ca$" write by users read olcAccess: {5}to dn.base="ou=People,dc=moores,dc=ca$" by group.exact="cn=Management,ou=Groups,dc=moores,dc=ca$" write by users read olcAccess: {6}to * by users read by * none
Basically I have groups, and within those groups I have Contact lists and administrators. I want the administrator to have write access, other members to have read access, and non members to have none.
This rule is what I think should work for that:
dn.regex="ou=Contacts,cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by group.exact,expand="cn=$1,ou=Groups,dc=moores,dc=ca" write by * none
I know this rule works for individual user contact lists:
dn.regex="ou=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$" by dn.exact,expand="uid=$1,ou=People,dc=moores,dc=ca" write by * none
I think the problem I am running into is having the <who> field as
group.exact,expand
Can I not do this? If not, is there any way to acheive the same result?
thanks, darryl
by ssf=128 set="[cn=admin,ou=groups,dc=domain,dc=tld]/member & user" write
->
any member of group 'admin' (groupOfNames) can write to...
I'm not sure if that's what you're trying to do.
Zdenek
Thanks Zdenek, Going back to my books I am learning more thanks to your comment. I think I understand what you are saying, but to work I still need to be able to expand the regular expression
so even with set="cn=..../member*" it would have to be set,expand="cn.../member*". because I have to match the group. I don't have a central admin group.
from what I've seen ",expand" only works with dn. constructs. Is that right? How else can I do this?
cheers, darryl
Darryl Moore wrote:
Thanks, but not quite
if I have a group
cn=mygroup,ou=Groups,dc=....
then I also have a subgroup
cn=admin,cn=mygroup,ou=groups,dc=....
I want the members of the subgroup to have write access to the parent group, and the members of the parent group to only have read access.
Zdenek Styblik wrote:
Darryl Moore wrote:
I'm trying to set up access controls for the server. Here are the rules I am trying to impliment
olcAccess: {0}to attrs=userPassword,shadowLastChange by anonymous auth by self write by * none olcAccess: {1}to dn.regex="ou=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$" by dn.exact,expand="uid=$1,ou=People,dc=moores,dc=ca" write by * none olcAccess: {2}to dn.regex="ou=Contacts,cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by group.exact,expand="cn=$1,ou=Groups,dc=moores,dc=ca" write by * none olcAccess: {3}to dn.regex="cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by group.exact,expand="cn=Admin,cn=$1,ou=Groups,dc=moores,dc=ca" write by group="cn=Management,ou=Groups,dc=moores,dc=ca" write by users read olcAccess: {4}to dn.base="ou=Groups,dc=moores,dc=ca$" by group.exact="cn=Management,ou=Groups,dc=moores,dc=ca$" write by users read olcAccess: {5}to dn.base="ou=People,dc=moores,dc=ca$" by group.exact="cn=Management,ou=Groups,dc=moores,dc=ca$" write by users read olcAccess: {6}to * by users read by * none
Basically I have groups, and within those groups I have Contact lists and administrators. I want the administrator to have write access, other members to have read access, and non members to have none.
This rule is what I think should work for that:
dn.regex="ou=Contacts,cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by group.exact,expand="cn=$1,ou=Groups,dc=moores,dc=ca" write by * none
I know this rule works for individual user contact lists:
dn.regex="ou=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$" by dn.exact,expand="uid=$1,ou=People,dc=moores,dc=ca" write by * none
I think the problem I am running into is having the <who> field as
group.exact,expand
Can I not do this? If not, is there any way to acheive the same result?
thanks, darryl
by ssf=128 set="[cn=admin,ou=groups,dc=domain,dc=tld]/member & user" write
->
any member of group 'admin' (groupOfNames) can write to...
I'm not sure if that's what you're trying to do.
Zdenek
On 23/07/2009 18:22, Darryl Moore wrote:
Thanks Zdenek, Going back to my books I am learning more thanks to your comment. I think I understand what you are saying, but to work I still need to be able to expand the regular expression
so even with set="cn=..../member*" it would have to be set,expand="cn.../member*". because I have to match the group. I don't have a central admin group.
from what I've seen ",expand" only works with dn. constructs. Is that right? How else can I do this?
cheers, darryl
Darryl Moore wrote:
Thanks, but not quite
if I have a group
cn=mygroup,ou=Groups,dc=....
then I also have a subgroup
cn=admin,cn=mygroup,ou=groups,dc=....
I want the members of the subgroup to have write access to the parent group, and the members of the parent group to only have read access.
You could probably achieve this with something like:
access to dn.children=ou=groups,dc=.... by set="([ldap:///] + this + [??one?cn=admin])/member & user" write by set="this/member & user" read
This will search for an entry named "cn=admin" on one level under each group in ou=groups, and allow write access to it's members.
Hope this helps, Jonathan
Zdenek Styblik wrote:
Darryl Moore wrote:
I'm trying to set up access controls for the server. Here are the rules I am trying to impliment
olcAccess: {0}to attrs=userPassword,shadowLastChange by anonymous auth by self write by * none olcAccess: {1}to dn.regex="ou=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$" by dn.exact,expand="uid=$1,ou=People,dc=moores,dc=ca" write by * none olcAccess: {2}to dn.regex="ou=Contacts,cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by group.exact,expand="cn=$1,ou=Groups,dc=moores,dc=ca" write by * none olcAccess: {3}to dn.regex="cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by group.exact,expand="cn=Admin,cn=$1,ou=Groups,dc=moores,dc=ca" write by group="cn=Management,ou=Groups,dc=moores,dc=ca" write by users read olcAccess: {4}to dn.base="ou=Groups,dc=moores,dc=ca$" by group.exact="cn=Management,ou=Groups,dc=moores,dc=ca$" write by users read olcAccess: {5}to dn.base="ou=People,dc=moores,dc=ca$" by group.exact="cn=Management,ou=Groups,dc=moores,dc=ca$" write by users read olcAccess: {6}to * by users read by * none
Basically I have groups, and within those groups I have Contact lists and administrators. I want the administrator to have write access, other members to have read access, and non members to have none.
This rule is what I think should work for that:
dn.regex="ou=Contacts,cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by group.exact,expand="cn=$1,ou=Groups,dc=moores,dc=ca" write by * none
I know this rule works for individual user contact lists:
dn.regex="ou=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$" by dn.exact,expand="uid=$1,ou=People,dc=moores,dc=ca" write by * none
I think the problem I am running into is having the<who> field as
group.exact,expand
Can I not do this? If not, is there any way to acheive the same result?
thanks, darryl
by ssf=128 set="[cn=admin,ou=groups,dc=domain,dc=tld]/member& user" write
->
any member of group 'admin' (groupOfNames) can write to...
I'm not sure if that's what you're trying to do.
Zdenek
Darryl Moore wrote:
Thanks Zdenek, Going back to my books I am learning more thanks to your comment. I think I understand what you are saying, but to work I still need to be able to expand the regular expression
so even with set="cn=..../member*" it would have to be set,expand="cn.../member*". because I have to match the group. I don't have a central admin group.
from what I've seen ",expand" only works with dn. constructs. Is that right? How else can I do this?
cheers, darryl
Hello Darryl,
I'm glad I could help a bit. I'm sorry, but I was busy since yesterday (high speed winds, electricity out and too much work on repairs). My knowledge of LDAP ACLs is basic and that was the top I made it so far. I think I've seen some examples in books, but I can't find any at the moment. You might also want to check http://www.openldap.org/doc/admin24/access-control.html '#8.5. Sets - Granting rights based on relationships', but I've read it some time ago and "didn't get it too much" :( May be somebody experienced will pick up and help more.
Have a nice weekend, Zdenek
openldap-technical@openldap.org