Hi @all,
I've tried to implement a olcAccess via regex for multiple directory entries. The goal was to group different users in two standard groups. Each group does have other access rules. I didn't what to do such a thing for every entry, so I thought that I'm able to do that with regexes. But my olcAccess rules doesn't work.
I've already posted the question to stackoverflow, but no answers till now. Here the link: http://stackoverflow.com/questions/31693040/ldap-olcaccess-regex-are-not-wor...
And here the rule for a regex access:
olcAccess: {1}to dn.regex="^o(.+),dc=organizations,dc=example,dc=ldap$" attrs=children by group.exact="cn=ADMINS,o=[$1],dc=organizations,dc=example,dc=ldap$" write by group.exact="cn=USER,o=[$1],dc=organizations,dc=example,dc=ldap$" read by * none
Does somebody can help me? Or is such a thing not possible to do?
Greetings John
PS: the content from Stackoverflow: ----------------------------------------------------------------------------------------
I have a LDAP server runnign with the Structure:
dc=example,dc=ldap
dc=organisations
o=orga1 (objectClasses top/organisation/dcObject)
cn=ADMINS (objectClasses top/groupOfNames)
cn=USER
o=orga2
cn=ADMIN
cn=USER
cn=users (objectClasses top/organisation/dcObject)
cn=user1 (objectClasses top/person)
cn=user2
Now I whant to add some rules that only the users in the organisation groups are able to see the organisation.
the hard coded approach was quite easy to implement:
olcAccess: {1}to dn.subtree="o=orga1,dc=organizations,dc=example,dc=ldap"
by group.exact="cn=ADMINS,o=orga1,dc=organizations,dc=example,dc=ldap" write
by group.exact="cn=USER,o=orga1,dc=organizations,dc=example,dc=ldap" read
by * none
(It is important to write TWO spaces in front of the 'by' [It was an problem for a long time for me])
But I don't whant to implement these rules for every new organisation, so I tried to implement the rule with some regex magig. But I failed misserably:
olcAccess: {1}to dn.regex="^o(.+),dc=organizations,dc=example,dc=ldap$"
attrs=children
by group.exact="cn=ADMINS,o=[$1],dc=organizations,dc=example,dc=ldap$" write
by group.exact="cn=USER,o=[$1],dc=organizations,dc=example,dc=ldap$" read
by * none
This rule affects nothing. So does someone have some idea to fix my problematic?
Or is it not possible to group the members like I did?
Thanks again
-- Johannes Fischer Research Fellow Fraunhofer Institute for Manufacturing Engineering and Automation IPA
Competence Centre Digital Tools for Manufactoring
Nobelstrasse 12 │ 70569 Stuttgart | Germany Phone +49 711 970-1217
Johannes.Fischer@ipa.fraunhofer.demailto:Johannes.Fischer@ipa.fraunhofer.de www.ipa.fraunhofer.dehttp://www.ipa.fraunhofer.de/
[cid:image001.png@01D0D01E.D4211AC0]
Fischer, Johannes wrote:
Hi @all,
Ive tried to implement a olcAccess via regex for multiple directory entries.
The goal was to group different users in two standard groups. Each group does have other access rules. I didnt what to do such a thing for every entry, so I thought that Im able to do that with regexes.
But my olcAccess rules doesnt work.
Ive already posted the question to stackoverflow, but no answers till now. Here the link:
http://stackoverflow.com/questions/31693040/ldap-olcaccess-regex-are-not-wor...
There are no OpenLDAP experts on stackoverflow.
And here the rule for a regex access:
olcAccess: {1}to dn.regex="^o(.+),dc=organizations,dc=example,dc=ldap$" attrs=children by group.exact="cn=ADMINS,o=[$1],dc=organizations,dc=example,dc=ldap$" write by group.exact="cn=USER,o=[$1],dc=organizations,dc=example,dc=ldap$" read by * none
Does somebody can help me? Or is such a thing not possible to do?
Your rule uses group.exact, which means it is NOT doing regex evaluation. Read the slapd.access(5) manpage again.
Howard Chu wrote:> Fischer, Johannes wrote:
And here the rule for a regex access:
olcAccess: {1}to dn.regex="^o(.+),dc=organizations,dc=example,dc=ldap$" attrs=children by group.exact="cn=ADMINS,o=[$1],dc=organizations,dc=example,dc=ldap$" write by group.exact="cn=USER,o=[$1],dc=organizations,dc=example,dc=ldap$" read by * none
Does somebody can help me? Or is such a thing not possible to do?
Your rule uses group.exact, which means it is NOT doing regex evaluation.
Besides that
dn.regex="^o(.+),dc=organizations,dc=example,dc=ldap$"
should probably be
dn.regex="^o=(.+),dc=organizations,dc=example,dc=ldap$"
Also the [] brackets in the who clause should be curly brackets {}.
Personally I also prefer to always use ${d1} to make it explicit that DN regex is addressed (in opposite to val.regex referenced ${v1}.
Read the slapd.access(5) manpage again.
Yes, one has to really spend lots of time with this man page!
Also use loglevel ..,ACL,.. to see valuable output how your ACLs are processed.
Ciao, Michael.
openldap-technical@openldap.org
-
Fischer, Johannes -
Howard Chu -
Michael Ströder