Hello,
I have a production ldap with some acl set. For historical reason the synchronizationn is done with the root dn which is bad. I want to add a user to perform synchronization it must have the right to read everytthing.
is the acl : access to * by dn.exact=<somedn> break added in first position be enough to read everything (even attributs that have been limited on some other acl) AND not break the current configuration ?
Thanks in advance.
f.g.
--On Thursday, March 4, 2021 5:44 PM +0100 Frédéric Goudal frederic.goudal@bordeaux-inp.fr wrote:
Hello,
I have a production ldap with some acl set. For historical reason the synchronizationn is done with the root dn which is bad. I want to add a user to perform synchronization it must have the right to read everytthing.
is the acl : access to * by dn.exact=<somedn> break added in first position be enough to read everything (even attributs that have been limited on some other acl) AND not break the current configuration ?
Generally what you would want is:
access to * by dn.exact=<somedn> by * break
So that only this ACL applies to somedn, and ACL processing for everything else continues as it did before.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Hello,
Thanks for the correction I understand better now.
And than another question : there is no <access> keyword in the acl.
Does it mean that the default value is read ? The man page is not clear about it (or I have not read it correctly).
f.g.
Le 4 mars 2021 à 17:52, Quanah Gibson-Mount quanah@symas.com a écrit :
--On Thursday, March 4, 2021 5:44 PM +0100 Frédéric Goudal frederic.goudal@bordeaux-inp.fr wrote:
Hello,
I have a production ldap with some acl set. For historical reason the synchronizationn is done with the root dn which is bad. I want to add a user to perform synchronization it must have the right to read everytthing.
is the acl : access to * by dn.exact=<somedn> break added in first position be enough to read everything (even attributs that have been limited on some other acl) AND not break the current configuration ?
Generally what you would want is:
access to * by dn.exact=<somedn> by * break
So that only this ACL applies to somedn, and ACL processing for everything else continues as it did before.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
--On Friday, March 5, 2021 10:03 AM +0100 Frédéric Goudal frederic.goudal@bordeaux-inp.fr wrote:
Hello,
Thanks for the correction I understand better now.
And than another question : there is no <access> keyword in the acl.
Does it mean that the default value is read ? The man page is not clear about it (or I have not read it correctly).
I suggest reading the slapd.access(5) man page. It clearly notes that <access> is optional.
I.e.,
by * break
is perfectly valid.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Le 5 mars 2021 à 17:31, Quanah Gibson-Mount quanah@symas.com a écrit :
--On Friday, March 5, 2021 10:03 AM +0100 Frédéric Goudal frederic.goudal@bordeaux-inp.fr wrote:
Hello,
Thanks for the correction I understand better now.
And than another question : there is no <access> keyword in the acl.
Does it mean that the default value is read ? The man page is not clear about it (or I have not read it correctly).
I suggest reading the slapd.access(5) man page. It clearly notes that <access> is optional.
Yes, I have read that its optional but I have not found what is the meaning of no access part in an acl ? I understand that in the line : by * break there is no need of an access level. But is there any other use case of no access level ?
Thanks for your second answer, in the first line (access by dn.exact=<somedn> ) the read was missing.
f.g.
On 3/6/21 1:41 PM, Frédéric Goudal wrote:
I understand that in the line : by * break there is no need of an access level. But is there any other use case of no access level ?
Sorry for nit-picking: 'break' is not about assigning access rights (privileges or levels). 'stop', 'break' and 'continue' simply control the flow of ACL processing.
The same privileges could be altered by several ACLs processed and 'break' is needed for passing control flow to the next ACL.
See section 'THE <CONTROL> FIELD' of slapd.access(5) for details.
As an example you could also take a look at Æ-DIR's replication ACLs:
https://gitlab.com/ae-dir/ansible-ae-dir-server/-/blob/master/templates/slap...
In this setup 'ae-providers' is the group of all writeable provider replicas and 'ae-replicas' is the group of all provider *and* read-only consumer replicas.
Ciao, Michael.
--On Friday, March 5, 2021 10:03 AM +0100 Frédéric Goudal frederic.goudal@bordeaux-inp.fr wrote:
Hello,
Thanks for the correction I understand better now.
And than another question : there is no <access> keyword in the acl.
Does it mean that the default value is read ? The man page is not clear about it (or I have not read it correctly).
access to * by dn.exact=<somedn> by * break
Ah, you meant the first line. Yes, it's missing the "read" access level, sorry. ;)
access to * by dn.exact=<somedn> read by * break
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org
-
Frédéric Goudal -
Michael Ströder -
Quanah Gibson-Mount