Hey,
i have two questions:
1. Is it possible to specify a regexp as rootdn?
2. In an access-rule, i have a set like: by set="(user + ([cn=Current,cn=Time,cn=Monitor]/monitorTimestamp)) & (this/modifiersName + this/createTimestamp)" write
But it seems, that the Monitor-Part isn't resolved correctly (returns empty and thus empty for the whole set).
What am i doing wrong here?
Thanks!
Regards, Kilian
Kilian R�hner writes:
- Is it possible to specify a regexp as rootdn?
No, but if you use SASL (e.g. ldapsearch -H ldapi:// -QY EXTERNAL) or proxy auth, then you can use authz-regexp to rewrite multiple DNs to a single one which you then can use as rootDN.
- In an access-rule, i have a set like:
by set="(user + ([cn=Current,cn=Time,cn=Monitor]/monitorTimestamp)) & (this/modifiersName + this/createTimestamp)" write
You want to let bound users write to entries they created this second? Cool, but fragile since the creation might happen at the end of the second, and the next write op next second.
But it seems, that the Monitor-Part isn't resolved correctly (returns empty and thus empty for the whole set).
- Is it possible to specify a regexp as rootdn?
No, but if you use SASL (e.g. ldapsearch -H ldapi:// -QY EXTERNAL) or proxy auth, then you can use authz-regexp to rewrite multiple DNs to a single one which you then can use as rootDN.
ok, that is, what i am alrealy doing. Currently, i bind every admin to cn=ldapadmin,XYZ but i would like to bind them to cn=<user>,cn=ldapadmin,XYZ so that i can see in the creatorsName and modifiersName of the Nodes who did what.
Would be nice for the future to have this (if this is the right place to say it).
- In an access-rule, i have a set like:
by set="(user + ([cn=Current,cn=Time,cn=Monitor]/monitorTimestamp)) & (this/modifiersName + this/createTimestamp)" write
You want to let bound users write to entries they created this second? Cool, but fragile since the creation might happen at the end of the second, and the next write op next second.
Yes, that is what i'm trying to do. In fact, i want some users to only allow the creation of Nodes but not the modification or deletion. The Problem is of course, that openldap has only "read" and "write" rules, while the last one usually implies that one can add, modify and delete.
Anyone has an idea why the Monitor thing is not working?
But it seems, that the Monitor-Part isn't resolved correctly (returns empty and thus empty for the whole set).
Kilian R�hner writes:
- Is it possible to specify a regexp as rootdn?
(...) Would be nice for the future to have this (if this is the right place to say it).
If you want someone to remember, the right place is ITS http://www.openldap.org/its/. I doubt it'll happen anytime soon unless someone like you contributes a patch though.
It couldn't be rootdn since that also has another function, allow Bind with that and rootpw. It could be 'rootaccess' or something, maybe otherwise looking like an access statement. But even then, OpenLDAP internals would need some redesign.
(...) The Problem is of course, that openldap has only "read" and "write" rules, while the last one usually implies that one can add, modify and delete.
No, "read" and "write" are shorthands for =dxcsr and =dxcsrwaz, as far as I can see. See 'THE <ACCESS> FIELD' in the slapd.access(5) manpage.
It helps to say what you want to achieve in addition to how you are trying to achieve it...
Anyone has an idea why the Monitor thing is not working?
Nope... might have a look later, it seems fine.
Am 01.04.2011 13:25, schrieb Kilian Röhner:
- Is it possible to specify a regexp as rootdn?
No, but if you use SASL (e.g. ldapsearch -H ldapi:// -QY EXTERNAL) or proxy auth, then you can use authz-regexp to rewrite multiple DNs to a single one which you then can use as rootDN.
ok, that is, what i am alrealy doing. Currently, i bind every admin to cn=ldapadmin,XYZ but i would like to bind them to cn=<user>,cn=ldapadmin,XYZ so that i can see in the creatorsName and modifiersName of the Nodes who did what.
Would be nice for the future to have this (if this is the right place to say it).
Why don't you use ACLs to give admins the permissions they need? There's no need to abuse the rootdn for that.
- In an access-rule, i have a set like:
by set="(user + ([cn=Current,cn=Time,cn=Monitor]/monitorTimestamp)) & (this/modifiersName + this/createTimestamp)" write
You want to let bound users write to entries they created this second? Cool, but fragile since the creation might happen at the end of the second, and the next write op next second.
Yes, that is what i'm trying to do. In fact, i want some users to only allow the creation of Nodes but not the modification or deletion. The Problem is of course, that openldap has only "read" and "write" rules, while the last one usually implies that one can add, modify and delete.
Take a look at slapd.access(5). There is an "add" privilege.
Anyone has an idea why the Monitor thing is not working?
But it seems, that the Monitor-Part isn't resolved correctly (returns empty and thus empty for the whole set).
Regards, Christian Manal
Take a look at slapd.access(5). There is an "add" privilege.
ok, i didn't knew this! Looking at table 6.4 in http://www.openldap.org/doc/admin24/access-control.html, i was under the impression, that there is no such thing.
Also in "man slapd.access(5)", i read:
The add operation requires write (=w) privileges on the pseudo-attribute entry of the entry being added, and write (=w) privileges on the pseudo-attribute children of the entry's parent. When adding the suffix entry of a database, write access to children of the empty DN ("") is required.
So is it just possible to put into an access-clause something like this?:
access to dn.exact="ou=abc" attrs=children by dn.exact="cn=foo,cn=bar" add
Thank you for all the replies so far! I will also look into what Jonathan wrote about the add_content_acl switch.
Am 01.04.2011 14:09, schrieb Kilian Röhner:
So is it just possible to put into an access-clause something like this?:
access to dn.exact="ou=abc" attrs=children by dn.exact="cn=foo,cn=bar" add
As the manpage states, to add an entry you need 'write' permissions on the parents pseudo-attribute "children" and at least 'add' permissions on the pseudo-attribute "entry" of the entry you want to add itself. Which means you'd need something like this:
access to dn.exact="ou=abc" attrs=children by dn.exact="cn=foo,cn=bar" write
access to dn.sub="ou=abc" attrs=entry by dn.exact="cn=foo,cn=bar" add
Regards, Christian Manal
openldap-technical@openldap.org
-
Christian Manal -
Hallvard B Furuseth -
Kilian Röhner