Hi all,
maybe this is not the right list for this question, in this case I apologize for this post..
I have no idea to define access rules for the following case. Have an LDAP tree like this:
ou=users cn=me ou=data ou=data1, owner=cn=me,ou=users cn=fact1 cn=fact2 ou=data2, owner=cn=somebodyelse,ou=users cn=fact3 cn=fact4
(one line represents one LDAP entry with some of its attributes, the level of indentation represents the tree structure)
The point is the subtree starting at "ou=data1". The root node of this subtree (ou=data1) has an attribute "owner" with a DN of a user account which can be used to bind to the LDAP server (cn=me,ou=users).
Now I want to define, that this specific user has write access to some attributes of cn=fact1,ou=data1 and cn=fact2,ou=data2 etc...
I am searching for a rule like this:
access to "cn=[^,]+,ou=data1,ou=data" attrs="attr1,attr2,attr3" by dnattr="owner of node ou=data1,ou=data" write
Obviously, this dnattr syntax is not valid, but I guess you see what I want. Any ideas how to realize this?
Thanks for any hints
Regards -stefan-
Hi all,
maybe this is not the right list for this question, in this case I apologize for this post..
I have no idea to define access rules for the following case. Have an LDAP tree like this:
ou=users cn=me ou=data ou=data1, owner=cn=me,ou=users cn=fact1 cn=fact2 ou=data2, owner=cn=somebodyelse,ou=users cn=fact3 cn=fact4
(one line represents one LDAP entry with some of its attributes, the level of indentation represents the tree structure)
The point is the subtree starting at "ou=data1". The root node of this subtree (ou=data1) has an attribute "owner" with a DN of a user account which can be used to bind to the LDAP server (cn=me,ou=users).
Now I want to define, that this specific user has write access to some attributes of cn=fact1,ou=data1 and cn=fact2,ou=data2 etc...
I am searching for a rule like this:
access to "cn=[^,]+,ou=data1,ou=data" attrs="attr1,attr2,attr3" by dnattr="owner of node ou=data1,ou=data" write
Obviously, this dnattr syntax is not valid, but I guess you see what I want. Any ideas how to realize this?
Try
access to dn.children="ou=data1,ou=data" by set="[ou=data1,ou=data]/owner & user" write
p.
On Sun, 2010-02-21 at 13:26 +0100, masarati@aero.polimi.it wrote:
I am searching for a rule like this:
access to "cn=[^,]+,ou=data1,ou=data" attrs="attr1,attr2,attr3" by dnattr="owner of node ou=data1,ou=data" write
Try
access to dn.children="ou=data1,ou=data" by set="[ou=data1,ou=data]/owner & user" write
Thanks for this hint. The man page for slapd.access currently says "The statement set=<pattern> is undocumented yet". Is there anywhere else a detailed documentation for this?
Especially, can I use regular expressions? Because my real need would be something like this:
access to dn.children="(ou=[^,]+,ou=data)" by set="[$1]/owner & user" write
so that I do not have to define a rule for each dataX-subtree...
Thanks and regards -stefan-
On Sun, 2010-02-21 at 13:26 +0100, masarati@aero.polimi.it wrote:
I am searching for a rule like this:
access to "cn=[^,]+,ou=data1,ou=data" attrs="attr1,attr2,attr3" by dnattr="owner of node ou=data1,ou=data" write
Try
access to dn.children="ou=data1,ou=data" by set="[ou=data1,ou=data]/owner & user" write
Thanks for this hint. The man page for slapd.access currently says "The statement set=<pattern> is undocumented yet". Is there anywhere else a detailed documentation for this?
Yes, it's very well hidden here http://www.openldap.org/faq/data/cache/1133.html :) Updating slapd.access(5) has been on the todo list for long time...
Especially, can I use regular expressions?
Yes, you should be able to figure out the syntax yourself from that link.
Because my real need would be something like this:
access to dn.children="(ou=[^,]+,ou=data)" by set="[$1]/owner & user" write
so that I do not have to define a rule for each dataX-subtree...
p.
On Sun, 2010-02-21 at 13:54 +0100, masarati@aero.polimi.it wrote:
On Sun, 2010-02-21 at 13:26 +0100, masarati@aero.polimi.it wrote:
I am searching for a rule like this:
access to "cn=[^,]+,ou=data1,ou=data" attrs="attr1,attr2,attr3" by dnattr="owner of node ou=data1,ou=data" write
Try
access to dn.children="ou=data1,ou=data" by set="[ou=data1,ou=data]/owner & user" write
Thanks for this hint. The man page for slapd.access currently says "The statement set=<pattern> is undocumented yet". Is there anywhere else a detailed documentation for this?
Yes, it's very well hidden here http://www.openldap.org/faq/data/cache/1133.html :) Updating slapd.access(5) has been on the todo list for long time...
Thanks, I think I've got the idea and how to use it for my purposes (those sets are really powerful, my respect to the developers!).
But unfortunately I don't get it to work, I hope it's only a small mistake by me:
This works: access to dn.regex=".*,(ou=[^,]+,ou=data)" by set.expand="user & ([ou=data1,ou=data]/owner)"
This does NOT work (the owner of ou=dataX,ou=data does NOT get access to the corresponding child entries): access to dn.regex=".*,(ou=[^,]+,ou=data)" by set.expand="user & ([$1]/owner)"
(Of course, the first one is not exactly the same as the second one, because the first one allows access to ALL dataX-subtrees to the owner of the data1-subtree...)
But why does the second one not work?
Regards -stefan
On Sun, 2010-02-21 at 14:32 +0100, Stefan Palme wrote:
On Sun, 2010-02-21 at 13:54 +0100, masarati@aero.polimi.it wrote:
On Sun, 2010-02-21 at 13:26 +0100, masarati@aero.polimi.it wrote:
I am searching for a rule like this:
access to "cn=[^,]+,ou=data1,ou=data" attrs="attr1,attr2,attr3" by dnattr="owner of node ou=data1,ou=data" write
Try
access to dn.children="ou=data1,ou=data" by set="[ou=data1,ou=data]/owner & user" write
Thanks for this hint. The man page for slapd.access currently says "The statement set=<pattern> is undocumented yet". Is there anywhere else a detailed documentation for this?
Yes, it's very well hidden here http://www.openldap.org/faq/data/cache/1133.html :) Updating slapd.access(5) has been on the todo list for long time...
Thanks, I think I've got the idea and how to use it for my purposes (those sets are really powerful, my respect to the developers!).
But unfortunately I don't get it to work, I hope it's only a small mistake by me:
This works: access to dn.regex=".*,(ou=[^,]+,ou=data)" by set.expand="user & ([ou=data1,ou=data]/owner)"
This does NOT work (the owner of ou=dataX,ou=data does NOT get access to the corresponding child entries): access to dn.regex=".*,(ou=[^,]+,ou=data)" by set.expand="user & ([$1]/owner)"
Sorry for this, the second one DOES work. I was just a typo in my access configuration.
I have another, similar problem the other way around, but I guess I will start a new thread for this...
Thanks and regards -stefan-
On Sun, 2010-02-21 at 13:54 +0100, masarati@aero.polimi.it wrote:
On Sun, 2010-02-21 at 13:26 +0100, masarati@aero.polimi.it wrote:
I am searching for a rule like this:
access to "cn=[^,]+,ou=data1,ou=data" attrs="attr1,attr2,attr3" by dnattr="owner of node ou=data1,ou=data" write
Try
access to dn.children="ou=data1,ou=data" by set="[ou=data1,ou=data]/owner & user" write
Thanks for this hint. The man page for slapd.access currently says "The statement set=<pattern> is undocumented yet". Is there anywhere else a detailed documentation for this?
Yes, it's very well hidden here http://www.openldap.org/faq/data/cache/1133.html :) Updating slapd.access(5) has been on the todo list for long time...
Thanks, I think I've got the idea and how to use it for my purposes (those sets are really powerful, my respect to the developers!).
But unfortunately I don't get it to work, I hope it's only a small mistake by me:
This works: access to dn.regex=".*,(ou=[^,]+,ou=data)" by set.expand="user & ([ou=data1,ou=data]/owner)"
This does NOT work (the owner of ou=dataX,ou=data does NOT get access to the corresponding child entries): access to dn.regex=".*,(ou=[^,]+,ou=data)" by set.expand="user & ([$1]/owner)"
(Of course, the first one is not exactly the same as the second one, because the first one allows access to ALL dataX-subtrees to the owner of the data1-subtree...)
But why does the second one not work?
Works for me, so the devil must be in the details. Try with -d acl and see how things expand.
p.
openldap-technical@openldap.org
-
masarati@aero.polimi.it -
Stefan Palme