We've got LDAP ACLs to restrict who can make changes to a group, like this one:
to dn.sub="ou=groups,dc=example,dc=com" by dnattr="owner" write by set="this/owner/member & user" write by users none by * none
so that both direct owners and people in groups that are owners can modify the group they own.
This works really well but now I want to list all of the groups that a DN matches against as an owner.
For direct owners, that is simple enough, but where someone is in a group and that group is an owner, it becomes trickier.
Is there a way of performing an LDAP search that does the equivalent of the ACL (or something like it) to tell me which groups can be written to for a given DN?
Regards
Philip
On Mon, Jan 16, 2017 at 03:21:41PM +0000, Philip Colmer wrote:
to dn.sub="ou=groups,dc=example,dc=com" by dnattr="owner" write by set="this/ owner/member & user" write by users none by * none
Is there a way of performing an LDAP search that does the equivalent of the ACL (or something like it) to tell me which groups can be written to for a given DN?
I don't think you will be able to do that in a single LDAP operation on a standard server. The most efficient way is probably:
Search for all groups that the user is a member of, returning just the DN
Search for all groups where any of those DNs are found in the owner attribute
Beware though, that if some users are members of very large numbers of groups then the search assertion could be very large...
If you have the memberof overlay then you may be able to simplify the process by having it maintain an 'ownerOf' attribute in the group entries. Then you could get what you want in a single search:
Match: (&(objectclass=groupOfNames)(member=<user DN>)) Return: ownerOf attribute
This may return multiple entries. You just need to gather up all the ownerOf values. To be really cute you could add the dynlist overlay to do this for you...
Andrew
Andrew Findlay wrote:
On Mon, Jan 16, 2017 at 03:21:41PM +0000, Philip Colmer wrote:
to dn.sub="ou=groups,dc=example,dc=com" by dnattr="owner" write by set="this/ owner/member & user" write by users none by * none
Is there a way of performing an LDAP search that does the equivalent of the ACL (or something like it) to tell me which groups can be written to for a given DN?
I don't think you will be able to do that in a single LDAP operation on a standard server. The most efficient way is probably:
Search for all groups that the user is a member of, returning just the DN
Search for all groups where any of those DNs are found in the owner attribute
Beware though, that if some users are members of very large numbers of groups then the search assertion could be very large...
If you have the memberof overlay then you may be able to simplify the process by having it maintain an 'ownerOf' attribute in the group entries. Then you could get what you want in a single search:
Match: (&(objectclass=groupOfNames)(member=<user DN>)) Return: ownerOf attribute
This may return multiple entries. You just need to gather up all the ownerOf values. To be really cute you could add the dynlist overlay to do this for you...
One DN reference level in search results can also be covered by using slapo-deref (provided the LDAP clients also supports using that extended control).
Using dereferenced attribute values as assertion values in filters does not work.
So together with slapo-memberof maintaining an 'ownerOf' attribute this could be achieved with one search operation.
Ciao, Michael.
openldap-technical@openldap.org
-
Andrew Findlay -
Michael Ströder -
Philip Colmer