Hello,
I am trying to use a group of the type "groupOfURLs" within an olcAccess rule. However, I am having trouble getting this to work.
For testing, I use a simple rule like: by set="[cn=test,ou=System,dc=example,dc=local]/member & user" write
where "test" consists of the objectClass "grouOfURLs", with the following query in the "memberURL" attribute: ldap:///ou=Users,dc=example,dc=local??one?(uid=*)
In my understanding, the query is executed when the group's content is requested. And it works; if I use "ldapsearch", I get the expected result. However, if I use this group in the olcAccess rule, it won't work. I tried to use a static group with the objectClass "groupOfMembers", which works.
All I found suggested that I could use a dynamic list within a rule. Am I missing something, or does it simply not work with dynamic lists?
Regards, Souji Thenria
Souji Thenria wrote:
Hello,
I am trying to use a group of the type "groupOfURLs" within an olcAccess rule. However, I am having trouble getting this to work.
For testing, I use a simple rule like: by set="[cn=test,ou=System,dc=example,dc=local]/member & user" write
That's not the right way to use groups.
Just use by group=cn=foo,... write
On 6/8/23 18:13, Howard Chu wrote:
Just use by group=cn=foo,... write
Thanks for the response.
I tried to use group=... and group.exact=... without success. The Administrator's Guide [1] says that group=... assumes that the objectClass is "groupOfNames", and if I use another objectClass, I should use: by group/<objectclass>/<attributename>=<DN> <access>
However, this method seems not to work with the objectClass "groupOfURLs". When I try to change the olcAccess policy, I get the error: ldap_modify: Other (e.g., implementation specific) error (80) additional info: <olcAccess> handler exited with 1
For further context, I wanted to use set=... because my goal is to create a rule which says: If a user wants to access his own attribute "X" and is in the group "test", he only has read access to it. For that, I would have created a rule like this: by set="this & [cn=test,ou=System,dc=example,dc=local]/member & user" read
Regards, Souji Thenria
--On Thursday, June 8, 2023 8:54 PM +0200 Souji Thenria mail@souji-thenria.net wrote:
On 6/8/23 18:13, Howard Chu wrote:
Just use by group=cn=foo,... write
Thanks for the response.
I tried to use group=... and group.exact=... without success. The Administrator's Guide [1] says that group=... assumes that the objectClass is "groupOfNames", and if I use another objectClass, I should use: by group/<objectclass>/<attributename>=<DN> <access>
That is for static groups, not dynamic groups.
You've not provided any examples of the 'group' ACLs you provided, nor the full context of your ACLs, so they may have not worked for any number of reasons.
--Quanah
On 08.06.2023 23:15, Quanah Gibson-Mount wrote:
I tried to use group=... and group.exact=... without success. The Administrator's Guide [1] says that group=... assumes that the objectClass is "groupOfNames", and if I use another objectClass, I should use: by group/<objectclass>/<attributename>=<DN> <access>
That is for static groups, not dynamic groups.
In that case, what's the correct approach to use a dynamic group inside an olcAccess rule? The Administrator's Guide says that dynamic groups are supported. But either I am blind, or both the slapo-dynlist(5) man page and the Dynamic Lists overlay section (in the Administrator's Guide) do not include information about ACLS.
You've not provided any examples of the 'group' ACLs you provided, nor the full context of your ACLs, so they may have not worked for any number of reasons.
This is the full ACL I was using: to attrs=userPassword by group="cn=test,ou=Groups,ou=System,dc=example,dc=local" read by self write by anonymous auth
However, this won't solve my problem in general. Even if the "by group=..." statement would work, it will give all group members read permissions on all users "userPassword " attribute. Whereas I want users in this group only to have read access to their own "userPassword" attribute, all other users not in this group should be able to change their own password. That's why I tried to use the "set" statement in the first place.
to attrs=userPassword by set="this & [cn=test,ou=Groups,ou=System,dc=example,dc=local]/member* & user" read by self write by anonymous auth
I want to prohibit some users from changing their passwords because they authenticate via SASL against Active Directory. And if they would change their password, they are no longer authenticating against the Active Directory.
--On Friday, June 9, 2023 5:13 PM +0200 Souji Thenria mail@souji-thenria.net wrote:
On 08.06.2023 23:15, Quanah Gibson-Mount wrote:
I tried to use group=... and group.exact=... without success. The Administrator's Guide [1] says that group=... assumes that the objectClass is "groupOfNames", and if I use another objectClass, I should use: by group/<objectclass>/<attributename>=<DN> <access>
That is for static groups, not dynamic groups.
In that case, what's the correct approach to use a dynamic group inside an olcAccess rule? The Administrator's Guide says that dynamic groups are supported. But either I am blind, or both the slapo-dynlist(5) man page and the Dynamic Lists overlay section (in the Administrator's Guide) do not include information about ACLS.
Howard already noted you can simply use group ACLs.
You've not provided any examples of the 'group' ACLs you provided, nor the full context of your ACLs, so they may have not worked for any number of reasons.
This is the full ACL I was using: to attrs=userPassword by group="cn=test,ou=Groups,ou=System,dc=example,dc=local" read by self write by anonymous auth
This lacks context, which I also noted was necessary.
There's zero information on:
a) what database this ACL is applied to, could be the cn=config db for all I know b) what ACLs may precede it that would take precedent.
--Quanah
On 6/9/23 21:39, Quanah Gibson-Mount wrote:
You've not provided any examples of the 'group' ACLs you provided, nor the full context of your ACLs, so they may have not worked for any number of reasons.
This is the full ACL I was using: to attrs=userPassword by group="cn=test,ou=Groups,ou=System,dc=example,dc=local" read by self write by anonymous auth
This lacks context, which I also noted was necessary.
There's zero information on:
a) what database this ACL is applied to, could be the cn=config db for all I know b) what ACLs may precede it that would take precedent.
--Quanah
I forgot this information; I am sorry for that. I hope that this will include the necessary information.
a) All ACLs apply to "olcDatabase={2}mdb,cn=config", and there is only one mdb database on this server.
b) I currently have 2 ACLs:
dn: olcDatabase={2}mdb,cn=config changetype: modify add: olcAccess olcAccess: {0} to attrs=userPassword by group="cn=test,ou=Groups,ou=System,dc=example,dc=local" read by self write by anonymous auth
dn: olcDatabase={2}mdb,cn=config changetype: modify add: olcAccess olcAccess: {1} to dn.subtree="dc=example,dc=local" by users read
c) And the dynlist module configuration is the following:
dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModuleLoad: {0}dynlist.la olcModulePath: /usr/lib64/openldap
dn: olcOverlay={0}dynlist,olcDatabase={2}mdb,cn=config objectClass: olcConfig objectClass: olcDynListConfig objectClass: olcOverlayConfig objectClass: top olcOverlay: {0}dynlist olcDynListAttrSet: {0}groupOfURLs memberURL member
On Fri, Jun 09, 2023 at 04:13:46PM +0200, Souji Thenria wrote:
On 08.06.2023 23:15, Quanah Gibson-Mount wrote:
I tried to use group=... and group.exact=... without success. The Administrator's Guide [1] says that group=... assumes that the objectClass is "groupOfNames", and if I use another objectClass, I should use: by group/<objectclass>/<attributename>=<DN> <access>
That is for static groups, not dynamic groups.
In that case, what's the correct approach to use a dynamic group inside an olcAccess rule? The Administrator's Guide says that dynamic groups are supported. But either I am blind, or both the slapo-dynlist(5) man page and the Dynamic Lists overlay section (in the Administrator's Guide) do not include information about ACLS.
See "man 5 slapd.access", it mentions both static groups (a DN-syntax attribute) and dynamic groups (attribute derived from labeledURI) in the "by groups=..." fragment. Dynlist isn't involved in ACL processing and you do not need to load/configure it for this to happen.
Regards,
On 6/12/23 11:55, Ondřej Kuzník wrote:
See "man 5 slapd.access", it mentions both static groups (a DN-syntax attribute) and dynamic groups (attribute derived from labeledURI) in the "by groups=..." fragment. Dynlist isn't involved in ACL processing and you do not need to load/configure it for this to happen.
Regards,
Hey,
Thanks a lot. Now I understand how to use a dynamic group in an ACL. I still need to fiddle around and get it to work like I want it to, but it is definitely the right direction.
Regards, Souji
Quanah Gibson-Mount wrote:
--On Thursday, June 8, 2023 8:54 PM +0200 Souji Thenria mail@souji-thenria.net wrote:
On 6/8/23 18:13, Howard Chu wrote:
Just use by group=cn=foo,... write
Thanks for the response.
I tried to use group=... and group.exact=... without success. The Administrator's Guide [1] says that group=... assumes that the objectClass is "groupOfNames", and if I use another objectClass, I should use: by group/<objectclass>/<attributename>=<DN> <access>
That is for static groups, not dynamic groups.
Irrelevant. The ACL engine supports both static and dynamic groups using the same syntax.
openldap-technical@openldap.org
-
Howard Chu -
Ondřej Kuzník -
Quanah Gibson-Mount -
Souji Thenria