3:39 a.m.
Hi,
We would like to use ACL statements of the form (used for illustration
purposes):
access to dn.subtree="ou=people,dc=example,dc=com"
filter="(ou=xxxxx)" attrs="someAttrs"
by group.exact="cn=xxxxxAdmins,ou=Groups,dc=example,dc=com" write
by group.exact="cn=allAdmins,ou=Groups,dc=example,dc=com" read
by self read
where xxxxx is some string.
In essence, we assign people entries to various administrative groups,
depending on the value of the ou attribute of the entry.
Of course we can write many statements, one per ou value / admin group,
but it would be much more concise to use just one statement using wildcards.
Could someone please suggest if and how the above can be written
correctly, using e.g. regex?
I appreciate any suggestions.
Thanks,
Nick
4:18 p.m.
Nick Milas wrote:
Hi,
We would like to use ACL statements of the form (used for illustration
purposes):
access to dn.subtree="ou=people,dc=example,dc=com"
filter="(ou=xxxxx)" attrs="someAttrs"
by group.exact="cn=xxxxxAdmins,ou=Groups,dc=example,dc=com" write
by group.exact="cn=allAdmins,ou=Groups,dc=example,dc=com" read
by self read
where xxxxx is some string.
In essence, we assign people entries to various administrative groups,
depending on the value of the ou attribute of the entry.
Of course we can write many statements, one per ou value / admin group,
but it would be much more concise to use just one statement using wildcards.
Could someone please suggest if and how the above can be written
correctly, using e.g. regex?
If: yes.
How: RTFM.
http://www.openldap.org/doc/admin24/access-control.html#Access%20Control%...
I appreciate any suggestions.
Thanks,
Nick
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
3:22 a.m.
On 26/2/2012 2:18 πμ, Howard Chu wrote:
How: RTFM.
http://www.openldap.org/doc/admin24/access-control.html#Access%20Control%...
>
> I appreciate any suggestions.
I do (RTFM) - sometimes a bit hastily, I admit. We have to administer a
large number of diverse systems and time does not always allow to read
all docs of each exhaustively, I am afraid. Experienced members'
directions can give us a starting point when we get stuck.
In this case, I spent quite some time with it. It seems to me that it
would require to use regex *in a filter* and then group.expand based on
the results. But is this possible? Any alternatives?
Thanks,
Nick
5:23 a.m.
On 26/2/2012 1:22 μμ, Nick Milas wrote:
It seems to me that it would require to use regex *in a filter* and
then group.expand based on the results. But is this possible? Any
alternatives?
Hmm, no one?
Let me re-phrase: Can we express the following three statements using
ONE ACL statement? I haven't been able to find a solution.
access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept1)"
attrs="attr1,attr2"
by group.exact="cn=dept1Admins,ou=Groups,dc=example,dc=com" write
access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept2)"
attrs="attr1,attr2"
by group.exact="cn=dept2Admins,ou=Groups,dc=example,dc=com" write
access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=dept3)"
attrs="attr1,attr2"
by group.exact="cn=dept3Admins,ou=Groups,dc=example,dc=com" write
Or any alternative suggestions to achieve the same result?
Thanks,
Nick
6:01 a.m.
On Tue, 27 Mar 2012, Nick Milas wrote:
On 26/2/2012 1:22 ??, Nick Milas wrote:
> It seems to me that it would require to use regex *in a filter* and then
> group.expand based on the results. But is this possible? Any alternatives?
Hmm, no one?
Let me re-phrase: Can we express the following three statements using ONE ACL
statement? I haven't been able to find a solution.
access to dn.subtree="ou=people,dc=example,dc=com"
filter="(ou=dept1)"
attrs="attr1,attr2"
by group.exact="cn=dept1Admins,ou=Groups,dc=example,dc=com" write
access to dn.subtree="ou=people,dc=example,dc=com"
filter="(ou=dept2)"
attrs="attr1,attr2"
by group.exact="cn=dept2Admins,ou=Groups,dc=example,dc=com" write
access to dn.subtree="ou=people,dc=example,dc=com"
filter="(ou=dept3)"
attrs="attr1,attr2"
by group.exact="cn=dept3Admins,ou=Groups,dc=example,dc=com" write
Or any alternative suggestions to achieve the same result?
Thanks,
Nick
I'm being super-dangerous by writing this on my way out the door, but with
that caveat, I believe:
access to dn.subtree=<what> filter="(ou=dept1)" by
group="cn=dept1,ou=Administrators,ou=Groups,dc=example,dc=com" read
is plausible with a set.expand. You might not even use the filter, just
the set alone to check this/ou versus the expanded group. Basically I'm
not certain if mapping "dept1" <> "dept1Admins" is achievable,
hence the
direct "dept1" <> "dept1" treatment. You might be able to use a
'+' to add
the "Admins" static string from your question but I'm not sure.
6:09 a.m.
Am Tue, 27 Mar 2012 15:23:30 +0300
schrieb Nick Milas <nick(a)eurobjects.com>:
On 26/2/2012 1:22 μμ, Nick Milas wrote:
> It seems to me that it would require to use regex *in a filter* and
> then group.expand based on the results. But is this possible? Any
> alternatives?
Hmm, no one?
Let me re-phrase: Can we express the following three statements using
ONE ACL statement? I haven't been able to find a solution.
access to dn.subtree="ou=people,dc=example,dc=com"
filter="(ou=dept1)" attrs="attr1,attr2"
by group.exact="cn=dept1Admins,ou=Groups,dc=example,dc=com"
write
access to dn.subtree="ou=people,dc=example,dc=com"
filter="(ou=dept2)" attrs="attr1,attr2"
by group.exact="cn=dept2Admins,ou=Groups,dc=example,dc=com"
write
access to dn.subtree="ou=people,dc=example,dc=com"
filter="(ou=dept3)" attrs="attr1,attr2"
by group.exact="cn=dept3Admins,ou=Groups,dc=example,dc=com"
write
Or any alternative suggestions to achieve the same result?
According to slapd.access(5) these are valid acess rules, but you may
expand the attribute list to pseudo attribute types entry and children.
-Dieter
--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53°37'09,95"N
10°08'02,42"E
6:21 a.m.
On 26/2/2012 1:22 μμ, Nick Milas wrote:
> It seems to me that it would require to use regex *in a filter* and
> then group.expand based on the results. But is this possible? Any
> alternatives?
Hmm, no one?
Let me re-phrase: Can we express the following three statements using
ONE ACL statement? I haven't been able to find a solution.
access to dn.subtree="ou=people,dc=example,dc=com"
filter="(ou=dept1)"
attrs="attr1,attr2"
by group.exact="cn=dept1Admins,ou=Groups,dc=example,dc=com" write
access to dn.subtree="ou=people,dc=example,dc=com"
filter="(ou=dept2)"
attrs="attr1,attr2"
by group.exact="cn=dept2Admins,ou=Groups,dc=example,dc=com" write
access to dn.subtree="ou=people,dc=example,dc=com"
filter="(ou=dept3)"
attrs="attr1,attr2"
by group.exact="cn=dept3Admins,ou=Groups,dc=example,dc=com" write
Or any alternative suggestions to achieve the same result?
Thanks,
Nick
Assuming these org units are under ou=people, try this:
access to dn.regex="ou=([^,]+),ou=people,dc=example,dc=com"
attrs="attr1,attr2"
by dn.regex="cn=$1Admins,ou=Groups,dc=example,dc=com" write
Joe
6:46 a.m.
Joe Friedeggs wrote:
> On 26/2/2012 1:22 μμ, Nick Milas wrote:
>
> > It seems to me that it would require to use regex *in a filter* and
> > then group.expand based on the results. But is this possible? Any
> > alternatives?
>
> Hmm, no one?
>
> Let me re-phrase: Can we express the following three statements using
> ONE ACL statement? I haven't been able to find a solution.
>
> access to dn.subtree="ou=people,dc=example,dc=com"
filter="(ou=dept1)"
> attrs="attr1,attr2"
> by group.exact="cn=dept1Admins,ou=Groups,dc=example,dc=com" write
>
> access to dn.subtree="ou=people,dc=example,dc=com"
filter="(ou=dept2)"
> attrs="attr1,attr2"
> by group.exact="cn=dept2Admins,ou=Groups,dc=example,dc=com" write
>
> access to dn.subtree="ou=people,dc=example,dc=com"
filter="(ou=dept3)"
> attrs="attr1,attr2"
> by group.exact="cn=dept3Admins,ou=Groups,dc=example,dc=com" write
>
> Or any alternative suggestions to achieve the same result?
Assuming these org units are under ou=people, try this:
access to dn.regex="ou=([^,]+),ou=people,dc=example,dc=com"
attrs="attr1,attr2"
by dn.regex="cn=$1Admins,ou=Groups,dc=example,dc=com" write
From what the original poster wrote he has just ou-attributes in person
entries, not separate DIT containers.
Ciao, Michael.
6:22 a.m.
On 26/2/2012 1:22 μμ, Nick Milas wrote:
> It seems to me that it would require to use regex *in a filter* and
> then group.expand based on the results. But is this possible? Any
> alternatives?
Hmm, no one?
Let me re-phrase: Can we express the following three statements using
ONE ACL statement? I haven't been able to find a solution.
access to dn.subtree="ou=people,dc=example,dc=com"
filter="(ou=dept1)"
attrs="attr1,attr2"
by group.exact="cn=dept1Admins,ou=Groups,dc=example,dc=com" write
access to dn.subtree="ou=people,dc=example,dc=com"
filter="(ou=dept2)"
attrs="attr1,attr2"
by group.exact="cn=dept2Admins,ou=Groups,dc=example,dc=com" write
access to dn.subtree="ou=people,dc=example,dc=com"
filter="(ou=dept3)"
attrs="attr1,attr2"
by group.exact="cn=dept3Admins,ou=Groups,dc=example,dc=com" write
Or any alternative suggestions to achieve the same result?
Thanks,
Nick
Assuming these org units are under ou=people, try this:
access to dn.regex="ou=([^,]+),ou=people,dc=example,dc=com"
attrs="attr1,attr2"
by dn.regex="cn=$1Admins,ou=Groups,dc=example,dc=com" write
Joe
6:24 a.m.
On 26/2/2012 1:22 μμ, Nick Milas wrote:
> It seems to me that it would require to use regex *in a filter* and
> then group.expand based on the results. But is this possible? Any
> alternatives?
Hmm, no one?
Let me re-phrase: Can we express the following three statements using
ONE ACL statement? I haven't been able to find a solution.
access to dn.subtree="ou=people,dc=example,dc=com"
filter="(ou=dept1)"
attrs="attr1,attr2"
by group.exact="cn=dept1Admins,ou=Groups,dc=example,dc=com" write
access to dn.subtree="ou=people,dc=example,dc=com"
filter="(ou=dept2)"
attrs="attr1,attr2"
by group.exact="cn=dept2Admins,ou=Groups,dc=example,dc=com" write
access to dn.subtree="ou=people,dc=example,dc=com"
filter="(ou=dept3)"
attrs="attr1,attr2"
by group.exact="cn=dept3Admins,ou=Groups,dc=example,dc=com" write
Or any alternative suggestions to achieve the same result?
Thanks,
Nick
Assuming these org units are under ou=people, have you tried something like this?
access to dn.regex="ou=([^,]+),ou=people,dc=example,dc=com"
attrs="attr1,attr2"
by dn.regex="cn=$1Admins,ou=Groups,dc=example,dc=com" write
Joe
6:29 a.m.
On 26/2/2012 1:22 μμ, Nick Milas wrote:
> It seems to me that it would require to use regex *in a filter* and
> then group.expand based on the results. But is this possible? Any
> alternatives?
Hmm, no one?
Let me re-phrase: Can we express the following three statements using
ONE ACL statement? I haven't been able to find a solution.
access to dn.subtree="ou=people,dc=example,dc=com"
filter="(ou=dept1)"
attrs="attr1,attr2"
by group.exact="cn=dept1Admins,ou=Groups,dc=example,dc=com" write
access to dn.subtree="ou=people,dc=example,dc=com"
filter="(ou=dept2)"
attrs="attr1,attr2"
by group.exact="cn=dept2Admins,ou=Groups,dc=example,dc=com" write
access to dn.subtree="ou=people,dc=example,dc=com"
filter="(ou=dept3)"
attrs="attr1,attr2"
by group.exact="cn=dept3Admins,ou=Groups,dc=example,dc=com" write
Or any alternative suggestions to achieve the same result?
Thanks,
Nick
Assuming these org units are under ou=people, have you tried something like this?
access to dn.regex="ou=([^,]+),ou=people,dc=example,dc=com"
attrs="attr1,attr2"
by dn.regex="cn=$1Admins,ou=Groups,dc=example,dc=com" write
Joe
6:45 a.m.
On 27/3/2012 4:29 μμ, Joe Friedeggs wrote:
Assuming these org units are under ou=people, have you tried
something
like this?
Negative. ou here is an attribute of the entry, not a separate org unit.
That's why I haven't found a solution neither with regexp/expand nor
with set/expand.
A solution seems to me possible only if ACL regex match/expand would be
possible in filter, rather than in the <what> part, yet I don't think
it's possible.
What I see as a solution is to add explicitly an owner attribute to each
entry (with the appropriate owner DN) and create an ACL to test this
attribute value.
Or this:
http://www.openldap.org/lists/openldap-technical/201202/msg00344.html
But I still would like to have experienced people's feedback on this,
before deciding.
Nick.
6:30 a.m.
On 26/2/2012 1:22 μμ, Nick Milas wrote:
> It seems to me that it would require to use regex *in a filter* and
> then group.expand based on the results. But is this possible? Any
> alternatives?
Hmm, no one?
Let me re-phrase: Can we express the following three statements using
ONE ACL statement? I haven't been able to find a solution.
access to dn.subtree="ou=people,dc=example,dc=com"
filter="(ou=dept1)"
attrs="attr1,attr2"
by group.exact="cn=dept1Admins,ou=Groups,dc=example,dc=com" write
access to dn.subtree="ou=people,dc=example,dc=com"
filter="(ou=dept2)"
attrs="attr1,attr2"
by group.exact="cn=dept2Admins,ou=Groups,dc=example,dc=com" write
access to dn.subtree="ou=people,dc=example,dc=com"
filter="(ou=dept3)"
attrs="attr1,attr2"
by group.exact="cn=dept3Admins,ou=Groups,dc=example,dc=com" write
Or any alternative suggestions to achieve the same result?
Thanks,
Nick
Assuming these org units are under ou=people, have you tried something like this?
access to dn.regex="ou=([^,]+),ou=people,dc=example,dc=com"
attrs="attr1,attr2"
by dn.regex="cn=$1Admins,ou=Groups,dc=example,dc=com" write
Joe
6:31 a.m.
On 26/2/2012 1:22 μμ, Nick Milas wrote:
> It seems to me that it would require to use regex *in a filter* and
> then group.expand based on the results. But is this possible? Any
> alternatives?
Hmm, no one?
Let me re-phrase: Can we express the following three statements using
ONE ACL statement? I haven't been able to find a solution.
access to dn.subtree="ou=people,dc=example,dc=com"
filter="(ou=dept1)"
attrs="attr1,attr2"
by group.exact="cn=dept1Admins,ou=Groups,dc=example,dc=com" write
access to dn.subtree="ou=people,dc=example,dc=com"
filter="(ou=dept2)"
attrs="attr1,attr2"
by group.exact="cn=dept2Admins,ou=Groups,dc=example,dc=com" write
access to dn.subtree="ou=people,dc=example,dc=com"
filter="(ou=dept3)"
attrs="attr1,attr2"
by group.exact="cn=dept3Admins,ou=Groups,dc=example,dc=com" write
Or any alternative suggestions to achieve the same result?
Thanks,
Nick
Assuming these org units are under ou=people, have you tried something like this?
access to dn.regex="ou=([^,]+),ou=people,dc=example,dc=com"
attrs="attr1,attr2"
by dn.regex="cn=$1Admins,ou=Groups,dc=example,dc=com" write
Joe
6:43 a.m.
Nick Milas wrote:
Let me re-phrase: Can we express the following three statements
using
ONE ACL statement? I haven't been able to find a solution.
access to dn.subtree="ou=people,dc=example,dc=com"
filter="(ou=dept1)" attrs="attr1,attr2"
by group.exact="cn=dept1Admins,ou=Groups,dc=example,dc=com"
write
[...same with other depts...]
This should work with normal OU names, but I'd feel nervous using it
since OU names involving '] ... [' would give an "ACL injection
attack":
access to dn.subtree="ou=people,dc=example,dc=com"
attrs="attr1,attr2" filter="(ou=dept*)"
by set.exact="user & ([cn=] + this/ou +
[Admins,ou=Groups,dc=example,dc=com])/member" write
I'd feel safer with the group DN of the admin in an attribute in
the entry (here the owner attribute):
access to dn.subtree="ou=people,dc=example,dc=com"
attrs="attr1,attr2" filter="(owner=*)"
by set.exact="user & this/owner/member" write
OTOH anyone who has access to update the OU or owner attribute can give
themselves admin access anyway, so hopefully only admins can do that.
--
Hallvard
9:09 a.m.
On 27/3/2012 4:43 μμ, Hallvard B Furuseth wrote:
Nick Milas wrote:
> Let me re-phrase: Can we express the following three statements using
> ONE ACL statement? I haven't been able to find a solution.
>
> access to dn.subtree="ou=people,dc=example,dc=com"
> filter="(ou=dept1)" attrs="attr1,attr2"
> by group.exact="cn=dept1Admins,ou=Groups,dc=example,dc=com"
> write
> [...same with other depts...]
>
This should work with normal OU names, but I'd feel nervous using it
since OU names involving '] ... [' would give an "ACL injection
attack":
access to dn.subtree="ou=people,dc=example,dc=com"
attrs="attr1,attr2" filter="(ou=dept*)"
by set.exact="user & ([cn=] + this/ou +
[Admins,ou=Groups,dc=example,dc=com])/member" write
Hi Hallvard,
Examining your suggestion above, I think it will not work, because it
gives write access to ou=dept* (that is, to *all* ou dept values) by
*any* *Admins group, whereas we want xxxAdmins to only have write access
to filter="(ou=deptxxx)" only.
So, in this case, only your second suggestion would work:
access to dn.subtree="ou=people,dc=example,dc=com"
attrs="attr1,attr2" filter="(owner=*)"
by set.exact="user & this/owner/member" write
... which requires us to define an owner attribute per entry.
Am I right?
The problem is that we cannot specify in an ACL any "expandable"
wildcard (as is possible in the main <what> clause). Would such
functionality be planned for the future?
Thanks and regards,
Nick
4144
days inactive
4227
days old
openldap-technical@openldap.org
15 comments
7 participants
participants (7)
-
Aaron Richton -
Dieter Klünter -
Hallvard B Furuseth -
Howard Chu -
Joe Friedeggs -
Michael Ströder -
Nick Milas