Hi,
We would like to use ACL statements of the form (used for illustration purposes):
access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=xxxxx)" attrs="someAttrs" by group.exact="cn=xxxxxAdmins,ou=Groups,dc=example,dc=com" write by group.exact="cn=allAdmins,ou=Groups,dc=example,dc=com" read by self read
where xxxxx is some string.
In essence, we assign people entries to various administrative groups, depending on the value of the ou attribute of the entry.
Of course we can write many statements, one per ou value / admin group, but it would be much more concise to use just one statement using wildcards.
Could someone please suggest if and how the above can be written correctly, using e.g. regex?
I appreciate any suggestions.
Thanks, Nick
Nick Milas wrote:
Hi,
We would like to use ACL statements of the form (used for illustration purposes):
access to dn.subtree="ou=people,dc=example,dc=com"filter="(ou=xxxxx)" attrs="someAttrs" by group.exact="cn=xxxxxAdmins,ou=Groups,dc=example,dc=com" write by group.exact="cn=allAdmins,ou=Groups,dc=example,dc=com" read by self read
where xxxxx is some string.
In essence, we assign people entries to various administrative groups, depending on the value of the ou attribute of the entry.
Of course we can write many statements, one per ou value / admin group, but it would be much more concise to use just one statement using wildcards.
Could someone please suggest if and how the above can be written correctly, using e.g. regex?
If: yes. How: RTFM. http://www.openldap.org/doc/admin24/access-control.html#Access%20Control%20C...
I appreciate any suggestions.
Thanks, Nick
On 26/2/2012 2:18 πμ, Howard Chu wrote:
How: RTFM. http://www.openldap.org/doc/admin24/access-control.html#Access%20Control%20C...
I appreciate any suggestions.
I do (RTFM) - sometimes a bit hastily, I admit. We have to administer a large number of diverse systems and time does not always allow to read all docs of each exhaustively, I am afraid. Experienced members' directions can give us a starting point when we get stuck.
In this case, I spent quite some time with it. It seems to me that it would require to use regex *in a filter* and then group.expand based on the results. But is this possible? Any alternatives?
Thanks, Nick
On 26/2/2012 1:22 μμ, Nick Milas wrote:
It seems to me that it would require to use regex *in a filter* and then group.expand based on the results. But is this possible? Any alternatives?
Hmm, no one?
Let me re-phrase: Can we express the following three statements using ONE ACL statement? I haven't been able to find a solution.
access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept1)" attrs="attr1,attr2" by group.exact="cn=dept1Admins,ou=Groups,dc=example,dc=com" write
access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept2)" attrs="attr1,attr2" by group.exact="cn=dept2Admins,ou=Groups,dc=example,dc=com" write
access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept3)" attrs="attr1,attr2" by group.exact="cn=dept3Admins,ou=Groups,dc=example,dc=com" write
Or any alternative suggestions to achieve the same result?
Thanks, Nick
On Tue, 27 Mar 2012, Nick Milas wrote:
On 26/2/2012 1:22 ??, Nick Milas wrote:
It seems to me that it would require to use regex *in a filter* and then group.expand based on the results. But is this possible? Any alternatives?
Hmm, no one?
Let me re-phrase: Can we express the following three statements using ONE ACL statement? I haven't been able to find a solution.
access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept1)" attrs="attr1,attr2" by group.exact="cn=dept1Admins,ou=Groups,dc=example,dc=com" write
access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept2)" attrs="attr1,attr2" by group.exact="cn=dept2Admins,ou=Groups,dc=example,dc=com" write
access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept3)" attrs="attr1,attr2" by group.exact="cn=dept3Admins,ou=Groups,dc=example,dc=com" write
Or any alternative suggestions to achieve the same result?
Thanks, Nick
I'm being super-dangerous by writing this on my way out the door, but with that caveat, I believe:
access to dn.subtree=<what> filter="(ou=dept1)" by group="cn=dept1,ou=Administrators,ou=Groups,dc=example,dc=com" read
is plausible with a set.expand. You might not even use the filter, just the set alone to check this/ou versus the expanded group. Basically I'm not certain if mapping "dept1" <> "dept1Admins" is achievable, hence the direct "dept1" <> "dept1" treatment. You might be able to use a '+' to add the "Admins" static string from your question but I'm not sure.
Am Tue, 27 Mar 2012 15:23:30 +0300 schrieb Nick Milas nick@eurobjects.com:
On 26/2/2012 1:22 μμ, Nick Milas wrote:
It seems to me that it would require to use regex *in a filter* and then group.expand based on the results. But is this possible? Any alternatives?
Hmm, no one?
Let me re-phrase: Can we express the following three statements using ONE ACL statement? I haven't been able to find a solution.
access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept1)" attrs="attr1,attr2" by group.exact="cn=dept1Admins,ou=Groups,dc=example,dc=com" write
access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept2)" attrs="attr1,attr2" by group.exact="cn=dept2Admins,ou=Groups,dc=example,dc=com" write
access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept3)" attrs="attr1,attr2" by group.exact="cn=dept3Admins,ou=Groups,dc=example,dc=com" write
Or any alternative suggestions to achieve the same result?
According to slapd.access(5) these are valid acess rules, but you may expand the attribute list to pseudo attribute types entry and children.
-Dieter
On 26/2/2012 1:22 μμ, Nick Milas wrote:
It seems to me that it would require to use regex *in a filter* and then group.expand based on the results. But is this possible? Any alternatives?
Hmm, no one?
Let me re-phrase: Can we express the following three statements using ONE ACL statement? I haven't been able to find a solution.
access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept1)" attrs="attr1,attr2" by group.exact="cn=dept1Admins,ou=Groups,dc=example,dc=com" write
access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept2)" attrs="attr1,attr2" by group.exact="cn=dept2Admins,ou=Groups,dc=example,dc=com" write
access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept3)" attrs="attr1,attr2" by group.exact="cn=dept3Admins,ou=Groups,dc=example,dc=com" write
Or any alternative suggestions to achieve the same result?
Thanks, Nick
Assuming these org units are under ou=people, try this:
access to dn.regex="ou=([^,]+),ou=people,dc=example,dc=com" attrs="attr1,attr2" by dn.regex="cn=$1Admins,ou=Groups,dc=example,dc=com" write
Joe
Joe Friedeggs wrote:
On 26/2/2012 1:22 μμ, Nick Milas wrote:
It seems to me that it would require to use regex *in a filter* and then group.expand based on the results. But is this possible? Any alternatives?
Hmm, no one?
Let me re-phrase: Can we express the following three statements using ONE ACL statement? I haven't been able to find a solution.
access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept1)" attrs="attr1,attr2" by group.exact="cn=dept1Admins,ou=Groups,dc=example,dc=com" write
access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept2)" attrs="attr1,attr2" by group.exact="cn=dept2Admins,ou=Groups,dc=example,dc=com" write
access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept3)" attrs="attr1,attr2" by group.exact="cn=dept3Admins,ou=Groups,dc=example,dc=com" write
Or any alternative suggestions to achieve the same result?
Assuming these org units are under ou=people, try this:
access to dn.regex="ou=([^,]+),ou=people,dc=example,dc=com" attrs="attr1,attr2" by dn.regex="cn=$1Admins,ou=Groups,dc=example,dc=com" write
From what the original poster wrote he has just ou-attributes in person entries, not separate DIT containers.
Ciao, Michael.
On 26/2/2012 1:22 μμ, Nick Milas wrote:
It seems to me that it would require to use regex *in a filter* and then group.expand based on the results. But is this possible? Any alternatives?
Hmm, no one?
Let me re-phrase: Can we express the following three statements using ONE ACL statement? I haven't been able to find a solution.
access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept1)" attrs="attr1,attr2" by group.exact="cn=dept1Admins,ou=Groups,dc=example,dc=com" write
access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept2)" attrs="attr1,attr2" by group.exact="cn=dept2Admins,ou=Groups,dc=example,dc=com" write
access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept3)" attrs="attr1,attr2" by group.exact="cn=dept3Admins,ou=Groups,dc=example,dc=com" write
Or any alternative suggestions to achieve the same result?
Thanks, Nick
Assuming these org units are under ou=people, try this:
access to dn.regex="ou=([^,]+),ou=people,dc=example,dc=com" attrs="attr1,attr2" by dn.regex="cn=$1Admins,ou=Groups,dc=example,dc=com" write
Joe
On 26/2/2012 1:22 μμ, Nick Milas wrote:
It seems to me that it would require to use regex *in a filter* and then group.expand based on the results. But is this possible? Any alternatives?
Hmm, no one?
Let me re-phrase: Can we express the following three statements using ONE ACL statement? I haven't been able to find a solution.
access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept1)" attrs="attr1,attr2" by group.exact="cn=dept1Admins,ou=Groups,dc=example,dc=com" write
access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept2)" attrs="attr1,attr2" by group.exact="cn=dept2Admins,ou=Groups,dc=example,dc=com" write
access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept3)" attrs="attr1,attr2" by group.exact="cn=dept3Admins,ou=Groups,dc=example,dc=com" write
Or any alternative suggestions to achieve the same result?
Thanks, Nick
Assuming these org units are under ou=people, have you tried something like this?
access to dn.regex="ou=([^,]+),ou=people,dc=example,dc=com" attrs="attr1,attr2" by dn.regex="cn=$1Admins,ou=Groups,dc=example,dc=com" write
Joe
On 26/2/2012 1:22 μμ, Nick Milas wrote:
It seems to me that it would require to use regex *in a filter* and then group.expand based on the results. But is this possible? Any alternatives?
Hmm, no one?
Let me re-phrase: Can we express the following three statements using ONE ACL statement? I haven't been able to find a solution.
access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept1)" attrs="attr1,attr2" by group.exact="cn=dept1Admins,ou=Groups,dc=example,dc=com" write
access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept2)" attrs="attr1,attr2" by group.exact="cn=dept2Admins,ou=Groups,dc=example,dc=com" write
access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept3)" attrs="attr1,attr2" by group.exact="cn=dept3Admins,ou=Groups,dc=example,dc=com" write
Or any alternative suggestions to achieve the same result?
Thanks, Nick
Assuming these org units are under ou=people, have you tried something like this?
access to dn.regex="ou=([^,]+),ou=people,dc=example,dc=com" attrs="attr1,attr2" by dn.regex="cn=$1Admins,ou=Groups,dc=example,dc=com" write
Joe
On 27/3/2012 4:29 μμ, Joe Friedeggs wrote:
Assuming these org units are under ou=people, have you tried something like this?
Negative. ou here is an attribute of the entry, not a separate org unit.
That's why I haven't found a solution neither with regexp/expand nor with set/expand.
A solution seems to me possible only if ACL regex match/expand would be possible in filter, rather than in the <what> part, yet I don't think it's possible.
What I see as a solution is to add explicitly an owner attribute to each entry (with the appropriate owner DN) and create an ACL to test this attribute value.
Or this: http://www.openldap.org/lists/openldap-technical/201202/msg00344.html
But I still would like to have experienced people's feedback on this, before deciding.
Nick.
On 26/2/2012 1:22 μμ, Nick Milas wrote:
It seems to me that it would require to use regex *in a filter* and then group.expand based on the results. But is this possible? Any alternatives?
Hmm, no one?
Let me re-phrase: Can we express the following three statements using ONE ACL statement? I haven't been able to find a solution.
access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept1)" attrs="attr1,attr2" by group.exact="cn=dept1Admins,ou=Groups,dc=example,dc=com" write
access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept2)" attrs="attr1,attr2" by group.exact="cn=dept2Admins,ou=Groups,dc=example,dc=com" write
access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept3)" attrs="attr1,attr2" by group.exact="cn=dept3Admins,ou=Groups,dc=example,dc=com" write
Or any alternative suggestions to achieve the same result?
Thanks, Nick
Assuming these org units are under ou=people, have you tried something like this?
access to dn.regex="ou=([^,]+),ou=people,dc=example,dc=com" attrs="attr1,attr2" by dn.regex="cn=$1Admins,ou=Groups,dc=example,dc=com" write
Joe
On 26/2/2012 1:22 μμ, Nick Milas wrote:
It seems to me that it would require to use regex *in a filter* and then group.expand based on the results. But is this possible? Any alternatives?
Hmm, no one?
Let me re-phrase: Can we express the following three statements using ONE ACL statement? I haven't been able to find a solution.
access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept1)" attrs="attr1,attr2" by group.exact="cn=dept1Admins,ou=Groups,dc=example,dc=com" write
access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept2)" attrs="attr1,attr2" by group.exact="cn=dept2Admins,ou=Groups,dc=example,dc=com" write
access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept3)" attrs="attr1,attr2" by group.exact="cn=dept3Admins,ou=Groups,dc=example,dc=com" write
Or any alternative suggestions to achieve the same result?
Thanks, Nick
Assuming these org units are under ou=people, have you tried something like this?
access to dn.regex="ou=([^,]+),ou=people,dc=example,dc=com" attrs="attr1,attr2" by dn.regex="cn=$1Admins,ou=Groups,dc=example,dc=com" write
Joe
Nick Milas wrote:
Let me re-phrase: Can we express the following three statements using ONE ACL statement? I haven't been able to find a solution.
access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept1)" attrs="attr1,attr2" by group.exact="cn=dept1Admins,ou=Groups,dc=example,dc=com" write [...same with other depts...]
This should work with normal OU names, but I'd feel nervous using it since OU names involving '] ... [' would give an "ACL injection attack":
access to dn.subtree="ou=people,dc=example,dc=com" attrs="attr1,attr2" filter="(ou=dept*)" by set.exact="user & ([cn=] + this/ou + [Admins,ou=Groups,dc=example,dc=com])/member" write
I'd feel safer with the group DN of the admin in an attribute in the entry (here the owner attribute):
access to dn.subtree="ou=people,dc=example,dc=com" attrs="attr1,attr2" filter="(owner=*)" by set.exact="user & this/owner/member" write
OTOH anyone who has access to update the OU or owner attribute can give themselves admin access anyway, so hopefully only admins can do that.
On 27/3/2012 4:43 μμ, Hallvard B Furuseth wrote:
Nick Milas wrote:
Let me re-phrase: Can we express the following three statements using ONE ACL statement? I haven't been able to find a solution.
access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept1)" attrs="attr1,attr2" by group.exact="cn=dept1Admins,ou=Groups,dc=example,dc=com" write [...same with other depts...]
This should work with normal OU names, but I'd feel nervous using it since OU names involving '] ... [' would give an "ACL injection attack":
access to dn.subtree="ou=people,dc=example,dc=com" attrs="attr1,attr2" filter="(ou=dept*)" by set.exact="user & ([cn=] + this/ou + [Admins,ou=Groups,dc=example,dc=com])/member" write
Hi Hallvard,
Examining your suggestion above, I think it will not work, because it gives write access to ou=dept* (that is, to *all* ou dept values) by *any* *Admins group, whereas we want xxxAdmins to only have write access to filter="(ou=deptxxx)" only.
So, in this case, only your second suggestion would work:
access to dn.subtree="ou=people,dc=example,dc=com" attrs="attr1,attr2" filter="(owner=*)" by set.exact="user & this/owner/member" write
... which requires us to define an owner attribute per entry.
Am I right?
The problem is that we cannot specify in an ACL any "expandable" wildcard (as is possible in the main <what> clause). Would such functionality be planned for the future?
Thanks and regards, Nick
openldap-technical@openldap.org
-
Aaron Richton -
Dieter Klünter -
Hallvard B Furuseth -
Howard Chu -
Joe Friedeggs -
Michael Ströder -
Nick Milas