Just a quick question: isit possible to control access to attributes based on an attribute tag? The idea is to hide certain attributes by adding a "...;x-hidden' tag.
TIA Ralf Mattes :wq
Am Thu, 29 Sep 2016 08:52:17 +0200 schrieb "Ralf Mattes" rm@mh-freiburg.de:
Just a quick question: isit possible to control access to attributes based on an attribute tag? The idea is to hide certain attributes by adding a "...;x-hidden' tag.
Yes, that is possible, i.e. access to attrs=name;x-hidden by * =cs by dn.exact="cn=foo bar,o=example" +r by dn.exact="cn=some one,o=example" +w
-Dieter
On 29. sep. 2016 08:52, Ralf Mattes wrote:
Just a quick question: isit possible to control access to attributes based on an attribute tag? The idea is to hide certain attributes by adding a "...;x-hidden' tag.
Doesn't the ";x-hidden" example in the slapd-config(5) manual page work?
Am Donnerstag, 29. September 2016 10:20 CEST, Hallvard Breien Furuseth h.b.furuseth@usit.uio.no schrieb:
On 29. sep. 2016 08:52, Ralf Mattes wrote:
Just a quick question: isit possible to control access to attributes based on an attribute tag? The idea is to hide certain attributes by adding a "...;x-hidden' tag.
Doesn't the ";x-hidden" example in the slapd-config(5) manual page work?
Oh, it does, once one knows about it :-)
I usually consult the "full" documentation (in this case the Admin Guide, see http://www.openldap.org/doc/admin24/access-control.html) and here tags aren't even mentioned. And ''man slapd.access" doesn't point to "man slapd.conf" in its "SEE ALSO" section. I wouldn't have expected that such a speial feature is explained in the general configuration documentation but not in the special one. And the syntax description on that page doesn't mention tags at all.
Thanks, Ralf Mattes
Am Thu, 29 Sep 2016 13:43:49 +0200 schrieb "Ralf Mattes" r.mattes@mh-freiburg.de:
Am Donnerstag, 29. September 2016 10:20 CEST, Hallvard Breien Furuseth h.b.furuseth@usit.uio.no schrieb:
On 29. sep. 2016 08:52, Ralf Mattes wrote:
Just a quick question: isit possible to control access to attributes based on an attribute tag? The idea is to hide certain attributes by adding a "...;x-hidden' tag.
Doesn't the ";x-hidden" example in the slapd-config(5) manual page work?
Oh, it does, once one knows about it :-)
I usually consult the "full" documentation (in this case the Admin Guide, see http://www.openldap.org/doc/admin24/access-control.html) and here tags aren't even mentioned. And ''man slapd.access" doesn't point to "man slapd.conf" in its "SEE ALSO" section. I wouldn't have expected that such a speial feature is explained in the general configuration documentation but not in the special one. And the syntax description on that page doesn't mention tags at all.
The reference is RFC3866
-Dieter
Am Donnerstag, 29. September 2016 17:20 CEST, Dieter Klünter dieter@dkluenter.de schrieb:
Am Thu, 29 Sep 2016 13:43:49 +0200 schrieb "Ralf Mattes" r.mattes@mh-freiburg.de: [...]
I usually consult the "full" documentation (in this case the Admin Guide, see http://www.openldap.org/doc/admin24/access-control.html) and here tags aren't even mentioned. And ''man slapd.access" doesn't point to "man slapd.conf" in its "SEE ALSO" section. I wouldn't have expected that such a speial feature is explained in the general configuration documentation but not in the special one. And the syntax description on that page doesn't mention tags at all.
The reference is RFC3866
That's the RFC for language and range tags, IIRC. What has this to do with the syntax of OpenLDAPs access control rules?
Confused, Ralf Mattes
On 29. sep. 2016 17:37, Ralf Mattes wrote:
Am Donnerstag, 29. September 2016 17:20 CEST, Dieter Klünter dieter@dkluenter.de schrieb:
The reference is RFC3866
That's the RFC for language and range tags, IIRC. What has this to do with the syntax of OpenLDAPs access control rules?
I do believe Dieter is talking about what the doc ought to be saying but doesn't, since like me he knows LDAP to well to notice:-) I'll file an ITS with a doc bug.
Briefly: "attributes" in indexes and ACLs generally refer to attribute descriptions _and their subtypes_. An attribute description is an attribute type optionally followed by ;options, which are an extension of the original concept of ;language tags. A type with a language tag or user-defined ;option is a sub-type of the original type, just like "cn" is a subtype of "name".
E.g. cn;x-hidden is a subtype of cn, if you've defined x-hidden. And so you can use access control rules on it, and the rules for plain "cn" will apply if a rule for cn;x-hidden doesn't match first.
I wrote:
(...) An attribute description is an attribute type optionally followed by ;options, which are an extension of the original concept of ;language tags. A type with a language tag or user-defined ;option is a sub-type of the original type, just like "cn" is a subtype of "name".
That was a bit inaccurate. ;options like binary already existed, and they need not be subtypes IIRC. OpenLDAP's user-defined options are "tagging options", and that's the type of options which create sub-types. I'll dig up the RFCs for this, later.
Am Thu, 29 Sep 2016 19:14:52 +0200 schrieb Hallvard Breien Furuseth h.b.furuseth@usit.uio.no:
On 29. sep. 2016 17:37, Ralf Mattes wrote:
Am Donnerstag, 29. September 2016 17:20 CEST, Dieter Klünter dieter@dkluenter.de schrieb:
The reference is RFC3866
That's the RFC for language and range tags, IIRC. What has this to do with the syntax of OpenLDAPs access control rules?
I do believe Dieter is talking about what the doc ought to be saying but doesn't, since like me he knows LDAP to well to notice:-) I'll file an ITS with a doc bug.
Briefly: "attributes" in indexes and ACLs generally refer to attribute descriptions _and their subtypes_. An attribute description is an attribute type optionally followed by ;options, which are an extension of the original concept of ;language tags. A type with a language tag or user-defined ;option is a sub-type of the original type, just like "cn" is a subtype of "name".
E.g. cn;x-hidden is a subtype of cn, if you've defined x-hidden. And so you can use access control rules on it, and the rules for plain "cn" will apply if a rule for cn;x-hidden doesn't match first.
merci Hallvard, for this clarification. My intention was to make clear that tags are part of the protocol and thus described in protocol specific documentation i.e. IETF docs, while access rules are openLDAP specific, thus manual pages, in particular slapd.access(5). The guide is volunteers driven basic documentation.
-Dieter
openldap-technical@openldap.org
-
Dieter Klünter -
Hallvard Breien Furuseth -
Ralf Mattes -
Ralf Mattes