Hi, I am trying to write acl statements that implement to following scenario:
with the exception of cn=radius,ou=sa,dc=test,dc=com every user should be able to see all objects under ou=users,dc=test,dc=com. cn=radius,ou=sa,dc=test,dc=com should only see objects under ou=users,dc=test,dc=com with objectClass=radiusprofile
I have tried the following acl statements which unfortunately do not work: ------------------------------- {11}to filter="(!(objectClass=radiusprofile))" by dn.exact="cn=radius,ou=sa,dc=test,dc=com" none by * break
{12}to dn.subtree="ou=users,dc=test,dc=com" attrs=entry,@top,cn,entryUUID by users read by * break ------------------------------- statement {11} results in cn=radius,ou=sa,dc=test,dc=com not being able to see any objects. interestingly if I set the filter in {11} to "(objectClass=radiusprofile)" (without the inversion(!)) cn=radius,ou=sa,dc=test,dc=com can see all objects not having objectClass=radiusprofile, which is exactly the opposite of what I am trying to do.
why does the inversion (!) in the filter statement result in cn=radius,ou=sa,dc=test,dc=com not being able to see any objects?
Marvin
Hi,
just a quick response without having tested it:
what about something like:
# cn=radius,ou=sa,dc=test,dc=com should only see objects under ou=users,dc=test,dc=com with objectClass=radiusprofile access to dn.subtree=ou=users,dc=test,dc=com filter="(objectClass=radiusprofile)" by dn=cn=radius,ou=sa,dc=test,dc=com read
# with the exception of cn=radius,ou=sa,dc=test,dc=com # every user should be able to see all objects under ou=users,dc=test,dc=com access to dn.subtree=ou=users,dc=test,dc=com by dn=cn=radius,ou=sa,dc=test,dc=com none by users read
Cheers,
Peter
Am 15.08.2012 11:04, schrieb Mundry, Marvin:
Hi, I am trying to write acl statements that implement to following scenario:
with the exception of cn=radius,ou=sa,dc=test,dc=com every user should be able to see all objects under ou=users,dc=test,dc=com. cn=radius,ou=sa,dc=test,dc=com should only see objects under ou=users,dc=test,dc=com with objectClass=radiusprofile
I have tried the following acl statements which unfortunately do not work:
{11}to filter="(!(objectClass=radiusprofile))" by dn.exact="cn=radius,ou=sa,dc=test,dc=com" none by * break
{12}to dn.subtree="ou=users,dc=test,dc=com" attrs=entry,@top,cn,entryUUID by users read by * break
statement {11} results in cn=radius,ou=sa,dc=test,dc=com not being able to see any objects. interestingly if I set the filter in {11} to "(objectClass=radiusprofile)" (without the inversion(!)) cn=radius,ou=sa,dc=test,dc=com can see all objects not having objectClass=radiusprofile, which is exactly the opposite of what I am trying to do.
why does the inversion (!) in the filter statement result in cn=radius,ou=sa,dc=test,dc=com not being able to see any objects?
Marvin
I am trying to write acl statements that implement to following scenario:
with the exception of cn=radius,ou=sa,dc=test,dc=com every user should be able to see all objects under ou=users,dc=test,dc=com. cn=radius,ou=sa,dc=test,dc=com should only see objects under ou=users,dc=test,dc=com with objectClass=radiusprofile
On 15.08.2012 11:41, Peter Gietz wrote:
what about something like: access to dn.subtree=ou=users,dc=test,dc=com filter="(objectClass=radiusprofile)" by dn=cn=radius,ou=sa,dc=test,dc=com read
access to dn.subtree=ou=users,dc=test,dc=com by dn=cn=radius,ou=sa,dc=test,dc=com none by users read
thanks for your help peter! the statements you suggested result in in the same situation as those I came up with in my last post.
the second statement (access by radius none) seems to override the first statement. ie. if the second statement is in place cn=radius is not able to see anything under ou=users,dc=test,dc=com anymore no matter what objectclass the objects in the container have.
regards, marvin
Am 16.08.2012 14:03, schrieb Mundry, Marvin:
I am trying to write acl statements that implement to following scenario:
with the exception of cn=radius,ou=sa,dc=test,dc=com every user should be able to see all objects under ou=users,dc=test,dc=com. cn=radius,ou=sa,dc=test,dc=com should only see objects under ou=users,dc=test,dc=com with objectClass=radiusprofile
On 15.08.2012 11:41, Peter Gietz wrote:
what about something like: access to dn.subtree=ou=users,dc=test,dc=com filter="(objectClass=radiusprofile)" by dn=cn=radius,ou=sa,dc=test,dc=com read access to dn.subtree=ou=users,dc=test,dc=com by dn=cn=radius,ou=sa,dc=test,dc=com none by users read
thanks for your help peter! the statements you suggested result in in the same situation as those I came up with in my last post.
the second statement (access by radius none) seems to override the first statement. ie. if the second statement is in place cn=radius is not able to see anything under ou=users,dc=test,dc=com anymore no matter what objectclass the objects in the container have.
Now I did try it out and think I found a solution to your problem:
access to dn.children="ou=users,dc=test,dc=com" filter="(objectClass=radiusprofile)" by dn=cn=radius,ou=sa,dc=test,dc=com read by users read
access to dn.children="ou=users,dc=test,dc=com" by dn=cn=radius,ou=sa,dc=test,dc=com none by users read
access to dn.base="ou=users,dc=test,dc=com" by users read
Does this work for you?
Cheers,
Peter
regards, marvin
Now I did try it out and think I found a solution to your problem:
access to dn.children="ou=users,dc=test,dc=com" filter="(objectClass=radiusprofile)" by dn=cn=radius,ou=sa,dc=test,dc=com read by users read
access to dn.children="ou=users,dc=test,dc=com" by dn=cn=radius,ou=sa,dc=test,dc=com none by users read
access to dn.base="ou=users,dc=test,dc=com" by users read
Does this work for you?
hi peter, the acl statements you provided are working. deploying them in our productive environment requires rewriting plenty of the existing acls. due to the risks associated with messing with the acls unfortunately I'll have to postpone the modifications to the time between christmas and new year's. nevertheless thank you for your effort on finding a solution to my problem.
cheers,
marvin
openldap-technical@openldap.org
-
Mundry, Marvin -
Peter Gietz