2:04 a.m.
Hi,
I am trying to write acl statements that implement to following scenario:
with the exception of cn=radius,ou=sa,dc=test,dc=com
every user should be able to see all objects under ou=users,dc=test,dc=com.
cn=radius,ou=sa,dc=test,dc=com should only see objects under ou=users,dc=test,dc=com with
objectClass=radiusprofile
I have tried the following acl statements which unfortunately do not work:
-------------------------------
{11}to filter="(!(objectClass=radiusprofile))"
by dn.exact="cn=radius,ou=sa,dc=test,dc=com" none
by * break
{12}to dn.subtree="ou=users,dc=test,dc=com" attrs=entry,@top,cn,entryUUID
by users read
by * break
-------------------------------
statement {11} results in cn=radius,ou=sa,dc=test,dc=com not being able to see any
objects.
interestingly if I set the filter in {11} to "(objectClass=radiusprofile)"
(without the inversion(!))
cn=radius,ou=sa,dc=test,dc=com can see all objects not having objectClass=radiusprofile,
which is exactly the opposite of what I am
trying to do.
why does the inversion (!) in the filter statement result in
cn=radius,ou=sa,dc=test,dc=com
not being able to see any objects?
Marvin
2:40 a.m.
Hi,
just a quick response without having tested it:
what about something like:
# cn=radius,ou=sa,dc=test,dc=com should only see objects under
ou=users,dc=test,dc=com with objectClass=radiusprofile
access to dn.subtree=ou=users,dc=test,dc=com
filter="(objectClass=radiusprofile)"
by dn=cn=radius,ou=sa,dc=test,dc=com read
# with the exception of cn=radius,ou=sa,dc=test,dc=com
# every user should be able to see all objects under
ou=users,dc=test,dc=com
access to dn.subtree=ou=users,dc=test,dc=com
by dn=cn=radius,ou=sa,dc=test,dc=com none
by users read
Cheers,
Peter
Am 15.08.2012 11:04, schrieb Mundry, Marvin:
Hi,
I am trying to write acl statements that implement to following scenario:
with the exception of cn=radius,ou=sa,dc=test,dc=com
every user should be able to see all objects under ou=users,dc=test,dc=com.
cn=radius,ou=sa,dc=test,dc=com should only see objects under ou=users,dc=test,dc=com with
objectClass=radiusprofile
I have tried the following acl statements which unfortunately do not work:
-------------------------------
{11}to filter="(!(objectClass=radiusprofile))"
by dn.exact="cn=radius,ou=sa,dc=test,dc=com" none
by * break
{12}to dn.subtree="ou=users,dc=test,dc=com" attrs=entry,@top,cn,entryUUID
by users read
by * break
-------------------------------
statement {11} results in cn=radius,ou=sa,dc=test,dc=com not being able to see any
objects.
interestingly if I set the filter in {11} to "(objectClass=radiusprofile)"
(without the inversion(!))
cn=radius,ou=sa,dc=test,dc=com can see all objects not having objectClass=radiusprofile,
which is exactly the opposite of what I am
trying to do.
why does the inversion (!) in the filter statement result in
cn=radius,ou=sa,dc=test,dc=com
not being able to see any objects?
Marvin
--
_______________________________________________________________________
Peter Gietz (CEO)
DAASI International GmbH phone: +49 7071 407109-0
Europaplatz 3 Fax: +49 7071 407109-9
D-72072 Tübingen mail: peter.gietz(a)daasi.de
Germany Web: www.daasi.de
DAASI International GmbH, Tübingen
Geschäftsführer Peter Gietz, Amtsgericht Stuttgart HRB 382175
Directory Applications for Advanced Security and Information Management
_______________________________________________________________________
5:03 a.m.
> I am trying to write acl statements that implement to following
scenario:
>
> with the exception of cn=radius,ou=sa,dc=test,dc=com every user should
> be able to see all objects under ou=users,dc=test,dc=com.
> cn=radius,ou=sa,dc=test,dc=com should only see objects under
> ou=users,dc=test,dc=com with objectClass=radiusprofile
On 15.08.2012 11:41, Peter Gietz wrote:
what about something like:
access to dn.subtree=ou=users,dc=test,dc=com
filter="(objectClass=radiusprofile)"
by dn=cn=radius,ou=sa,dc=test,dc=com read
access to dn.subtree=ou=users,dc=test,dc=com
by dn=cn=radius,ou=sa,dc=test,dc=com none
by users read
thanks for your help peter!
the statements you suggested result in in the same situation as those I came up with in my
last post.
the second statement (access by radius none) seems to override the first statement. ie. if
the second statement is in place
cn=radius is not able to see anything under ou=users,dc=test,dc=com anymore no matter what
objectclass the objects in the container
have.
regards,
marvin
3:46 a.m.
Am 16.08.2012 14:03, schrieb Mundry, Marvin:
>> I am trying to write acl statements that implement to
following scenario:
>>
>> with the exception of cn=radius,ou=sa,dc=test,dc=com every user should
>> be able to see all objects under ou=users,dc=test,dc=com.
>> cn=radius,ou=sa,dc=test,dc=com should only see objects under
>> ou=users,dc=test,dc=com with objectClass=radiusprofile
On 15.08.2012 11:41, Peter Gietz wrote:
> what about something like:
> access to dn.subtree=ou=users,dc=test,dc=com
filter="(objectClass=radiusprofile)"
> by dn=cn=radius,ou=sa,dc=test,dc=com read
> access to dn.subtree=ou=users,dc=test,dc=com
> by dn=cn=radius,ou=sa,dc=test,dc=com none
> by users read
thanks for your help peter!
the statements you suggested result in in the same situation as those I came up with in
my last post.
the second statement (access by radius none) seems to override the first statement. ie.
if the second statement is in place
cn=radius is not able to see anything under ou=users,dc=test,dc=com anymore no matter
what objectclass the objects in the container
have.
Now I did try it out and think I found a solution to your problem:
access to dn.children="ou=users,dc=test,dc=com"
filter="(objectClass=radiusprofile)"
by dn=cn=radius,ou=sa,dc=test,dc=com read
by users read
access to dn.children="ou=users,dc=test,dc=com"
by dn=cn=radius,ou=sa,dc=test,dc=com none
by users read
access to dn.base="ou=users,dc=test,dc=com"
by users read
Does this work for you?
Cheers,
Peter
regards,
marvin
--
_______________________________________________________________________
Peter Gietz (CEO)
DAASI International GmbH phone: +49 7071 407109-0
Europaplatz 3 Fax: +49 7071 407109-9
D-72072 Tübingen mail: peter.gietz(a)daasi.de
Germany Web: www.daasi.de
DAASI International GmbH, Tübingen
Geschäftsführer Peter Gietz, Amtsgericht Stuttgart HRB 382175
Directory Applications for Advanced Security and Information Management
_______________________________________________________________________
7:55 a.m.
Now I did try it out and think I found a solution to your problem:
access to dn.children="ou=users,dc=test,dc=com"
filter="(objectClass=radiusprofile)"
by dn=cn=radius,ou=sa,dc=test,dc=com read
by users read
access to dn.children="ou=users,dc=test,dc=com"
by dn=cn=radius,ou=sa,dc=test,dc=com none
by users read
access to dn.base="ou=users,dc=test,dc=com"
by users read
Does this work for you?
hi peter,
the acl statements you provided are working.
deploying them in our productive environment requires rewriting plenty of the existing
acls.
due to the risks associated with messing with the acls unfortunately I'll have to
postpone the modifications to the time between
christmas and new year's.
nevertheless thank you for your effort on finding a solution to my problem.
cheers,
marvin
3640
days inactive
3652
days old
openldap-technical@openldap.org
4 comments
2 participants
participants (2)
-
Mundry, Marvin -
Peter Gietz