10:08 a.m.
Hi,
I'd like to let users create posixGroup objects, but I don't want them to be able
to pick a gidNumber that is already in use, or that is less than 1000 or greater than
10000, and I only want the groups to be created in the ou=Group,dc=example,dc=com
container.
Is this possible with OpenLDAP ACLs?
Tim Gustafson
Baskin School of Engineering
UC Santa Cruz
tjg(a)soe.ucsc.edu
831-459-5354
10:21 a.m.
On 2011-03-17 at 10:08, Tim Gustafson ( tjg(a)soe.ucsc.edu ) said:
Hi,
I'd like to let users create posixGroup objects, but I don't want them
to be able to pick a gidNumber that is already in use, or that is less
than 1000 or greater than 10000, and I only want the groups to be
created in the ou=Group,dc=example,dc=com container.
Take a look at slapo-unique to enforce gidNumber uniqueness. Last part is
definitely doable. As to enforcing a value to be within a certain range, I
suppose if you can come up with a regex to match that, it should be
possible.
We have something similar, in that users can create groups of the form
<user>:<groupname>. Here are the ACLs that make that work:
# allow access to create entries under ou=group
access to dn.exact="ou=group,dc=bx,dc=psu,dc=edu" attrs=children
by users write
by * read
# personal groups
access to dn.regex="cn=(.+):.+,ou=group,dc=bx,dc=psu,dc=edu"
filter=(|(objectclass=groupofnames)(objectclass=posixgroup)) attrs=member,memberUid
by dn.regex="uid=$1,ou=people,dc=bx,dc=psu,dc=edu" write
by dn.regex=".*/admin,ou=people,dc=bx,dc=psu,dc=edu" write
by group.exact="cn=ldapadmin-groups,ou=group,dc=bx,dc=psu,dc=edu"
write
by * read
--andy
10:27 a.m.
Am 17.03.2011 18:08, schrieb Tim Gustafson:
Hi,
I'd like to let users create posixGroup objects, but I don't want them to be able
to pick a gidNumber that is already in use, or that is less than 1000 or greater than
10000, and I only want the groups to be created in the ou=Group,dc=example,dc=com
container.
Is this possible with OpenLDAP ACLs?
Hi,
to prevent gidNumber duplicates you probably need slapo-unique. ACLs
along these lines should do the rest:
access to dn.exact="ou=group,dc=example" attrs=children
by users write
access to dn.sub="ou=group,dc=example" attrs=entry
filter="(&(objectClass=posixAccount)(gidNumber>=1000)(gidNumber<=1000)"
by users add
Regards,
Christian Manal
8:42 a.m.
to prevent gidNumber duplicates you probably need slapo-unique.
That works well; here's my configuration:
overlay unique
unique_uri ldap:///ou=Group,dc=example?cn?sub?
unique_uri ldap:///ou=Group,dc=example?gidNumber?sub?
ACLs along these lines should do the rest:
access to dn.exact="ou=group,dc=example" attrs=children
by users write
access to dn.sub="ou=group,dc=example" attrs=entry
filter="(&(objectClass=posixAccount)(gidNumber>=1000)(gidNumber<=1000)"
by users add
I already have this:
access to
dn.subtree="ou=Group,dc=example"
attrs=manager,memberUid,description,myStatus,myComment
by set="this/manager & user" write
by * break
(My groups all have an additional objectClass, myGroup, which adds a manager, description,
myStatus and myComment attribute to groups.)
Will the ACLs you propose break that? It doesn't look like they will; I just want to
make sure.
Tim Gustafson
Baskin School of Engineering
UC Santa Cruz
tjg(a)soe.ucsc.edu
831-459-5354
9:36 a.m.
ACLs along these lines should do the rest
Actually, this doesn't seem to work:
access to
dn.exact="ou=Group,dc=example"
attrs=children
by users write
by * break
access to
dn.subtree="ou=Group,dc=example"
attrs=entry
filter="(&(objectClass=posixGroup)(objectClass=myGroup)(gidNumber>=1000)(gidNumber<=10000))"
by users add
by * break
access to
dn.subtree="ou=Group,dc=example"
attrs=manager,memberUid,description,myStatus
by set="this/manager & user" write
by * break
If I take out the "filter" line, it works fine, but with the "filter"
line there it doesn't work, regardless of what gidNumber I provide.
The OpenLDAP log with "acl" logging enabled is attached. What do I need to add
to these ACLs to get this working? I tried adding all the group-specific attributes to
the "attrs=entry" line, but that did not help.
Tim Gustafson
Baskin School of Engineering
UC Santa Cruz
tjg(a)soe.ucsc.edu
831-459-5354
2:41 a.m.
Am 18.03.2011 17:36, schrieb Tim Gustafson:
by set="this/manager & user" write
I'd use a 'dnattr' rule here instead of a set. Sets can have a severe
impact on performance, since they are not cached.
If I take out the "filter" line, it works fine, but with
the "filter" line there it doesn't work, regardless of what gidNumber I
provide.
Yeah, I just tested myself. The problem isn't the filter in itself, but
the greater-than and less-than operators. gidNumber doesn't have an
ORDERING rule, so the filter will always return false. Since gidNumber
is a builtin attribute, it can't be changed that easily, but I think
recently saw an ITS that requested adding 'ORDERING
integerOrderingMatch' to uidNumber and gidNumber. You'd have to wait for
the next OpenLDAP version.
Regards,
Christian Manal
11:08 a.m.
gidNumber doesn't have an ORDERING rule, so the filter will
always return false.
Can it be somehow done with regular expressions? Something like:
filter="(&(objectClass=posixGroup)(objectClass=myGroup)(gidNumber=~1[0-9]{3,4}))"
I'm guessing that filters don't allow regular expressions, but I thought it might
be worth a shot. :)
Tim Gustafson
Baskin School of Engineering
UC Santa Cruz
tjg(a)soe.ucsc.edu
831-459-5354
4457
days inactive
4462
days old
openldap-technical@openldap.org
6 comments
3 participants
participants (3)
-
Andy Cobaugh -
Christian Manal -
Tim Gustafson