Hello,
I have converted from static (slapd.conf) to dynamic (cn=config) configuration using auto file conversion.
I would like to ask a couple of questions regarding ACL conversion. Here follows one of the rules we have in initial form (a), and after conversion (b):
(a) access to dn.subtree="dc=xxx.xxx.xxx.in-addr.arpa,ou=dns1,dc=example,dc=gr" attrs="children,entry" by group.exact="cn=TechAdmins,ou=Groups,dc=example,dc=gr" write by group.exact="cn=Dept1Admins,ou=Groups,dc=example,dc=gr" read by group.exact="cn=Dept2Admins,ou=Groups,dc=example,dc=gr" write by group.exact="cn=Dept3Admins,ou=Groups,dc=example,dc=gr" read by group.exact="cn=Dept4Admins,ou=Groups,dc=example,dc=gr" read by group.exact="cn=Dept5Admins,ou=Groups,dc=example,dc=gr" read by group.exact="cn=GuestAdmins,ou=Groups,dc=example,dc=gr" read by dn.exact="uid=dnsauthusr,ou=System,dc=example,dc=gr" read by * break
(b) as an olcAccess attribute value: {10}to dn.subtree="dc=xxx.xxx.xxx.in-addr.arpa,ou=dns1,dc=example,dc=gr" attrs=children,entry by group/groupOfNames/member.exact="cn=techadmins,ou=groups,dc=example,dc=gr" write by group/groupOfNames/member.exact="cn=Dept1Admins,ou=groups,dc=example,dc=gr" read by group/groupOfNames/member.exact="cn=Dept2Admins,ou=groups,dc=example,dc=gr" write by group/groupOfNames/member.exact="cn=Dept3Admins,ou=groups,dc=example,dc=gr" read by group/groupOfNames/member.exact="cn=Dept4Admins,ou=groups,dc=example,dc=gr" read by group/groupOfNames/member.exact="cn=Dept5Admins,ou=groups,dc=example,dc=gr" read by group/groupOfNames/member.exact="cn=guestadmins,ou=groups,dc=example,dc=gr" read by dn.base="uid=dnsauthusr,ou=system,dc=example,dc=gr" read by * +0 break
Question 1. Why "group.exact" was changed to "group/groupOfNames/member.exact" ? Yes, groups are defined as entries of groupOfNames objectClass, with members defined as values of attribute "member". But should it be like that? Should we change (manually) "group/groupOfNames/member.exact" back to "group.exact" again or not (and why)?
Question 2. Is there a way we can add (manually, since conversion removed the ones which existed in initial configuration files) line breaks in olcAccess attribute value so it can be more legible (for administrative purposes)?
Question 3. What is the "+0" added before "break" and why is needed?
Thanks in advance, Nick
Any advice on this, please ?
Thanks, Nick
On 23/12/2011 12:23 πμ, Nick Milas wrote:
Hello,
I have converted from static (slapd.conf) to dynamic (cn=config) configuration using auto file conversion.
I would like to ask a couple of questions regarding ACL conversion. Here follows one of the rules we have in initial form (a), and after conversion (b):
(a) access to dn.subtree="dc=xxx.xxx.xxx.in-addr.arpa,ou=dns1,dc=example,dc=gr" attrs="children,entry" by group.exact="cn=TechAdmins,ou=Groups,dc=example,dc=gr" write by group.exact="cn=Dept1Admins,ou=Groups,dc=example,dc=gr" read by group.exact="cn=Dept2Admins,ou=Groups,dc=example,dc=gr" write by group.exact="cn=Dept3Admins,ou=Groups,dc=example,dc=gr" read by group.exact="cn=Dept4Admins,ou=Groups,dc=example,dc=gr" read by group.exact="cn=Dept5Admins,ou=Groups,dc=example,dc=gr" read by group.exact="cn=GuestAdmins,ou=Groups,dc=example,dc=gr" read by dn.exact="uid=dnsauthusr,ou=System,dc=example,dc=gr" read by * break
(b) as an olcAccess attribute value: {10}to dn.subtree="dc=xxx.xxx.xxx.in-addr.arpa,ou=dns1,dc=example,dc=gr" attrs=children,entry by group/groupOfNames/member.exact="cn=techadmins,ou=groups,dc=example,dc=gr" write by group/groupOfNames/member.exact="cn=Dept1Admins,ou=groups,dc=example,dc=gr" read by group/groupOfNames/member.exact="cn=Dept2Admins,ou=groups,dc=example,dc=gr" write by group/groupOfNames/member.exact="cn=Dept3Admins,ou=groups,dc=example,dc=gr" read by group/groupOfNames/member.exact="cn=Dept4Admins,ou=groups,dc=example,dc=gr" read by group/groupOfNames/member.exact="cn=Dept5Admins,ou=groups,dc=example,dc=gr" read by group/groupOfNames/member.exact="cn=guestadmins,ou=groups,dc=example,dc=gr" read by dn.base="uid=dnsauthusr,ou=system,dc=example,dc=gr" read by
- +0 break
Question 1. Why "group.exact" was changed to "group/groupOfNames/member.exact" ? Yes, groups are defined as entries of groupOfNames objectClass, with members defined as values of attribute "member". But should it be like that? Should we change (manually) "group/groupOfNames/member.exact" back to "group.exact" again or not (and why)?
Question 2. Is there a way we can add (manually, since conversion removed the ones which existed in initial configuration files) line breaks in olcAccess attribute value so it can be more legible (for administrative purposes)?
Question 3. What is the "+0" added before "break" and why is needed?
Thanks in advance, Nick
--On Tuesday, December 27, 2011 6:03 PM +0200 Nick Milas nick@eurobjects.com wrote:
Any advice on this, please ?
Thanks, Nick
On 23/12/2011 12:23 πμ, Nick Milas wrote:
Hello,
I have converted from static (slapd.conf) to dynamic (cn=config) configuration using auto file conversion.
I would like to ask a couple of questions regarding ACL conversion. Here follows one of the rules we have in initial form (a), and after conversion (b):
(a) access to dn.subtree="dc=xxx.xxx.xxx.in-addr.arpa,ou=dns1,dc=example,dc=gr" attrs="children,entry" by group.exact="cn=TechAdmins,ou=Groups,dc=example,dc=gr" write by group.exact="cn=Dept1Admins,ou=Groups,dc=example,dc=gr" read by group.exact="cn=Dept2Admins,ou=Groups,dc=example,dc=gr" write by group.exact="cn=Dept3Admins,ou=Groups,dc=example,dc=gr" read by group.exact="cn=Dept4Admins,ou=Groups,dc=example,dc=gr" read by group.exact="cn=Dept5Admins,ou=Groups,dc=example,dc=gr" read by group.exact="cn=GuestAdmins,ou=Groups,dc=example,dc=gr" read by dn.exact="uid=dnsauthusr,ou=System,dc=example,dc=gr" read by * break
(b) as an olcAccess attribute value: {10}to dn.subtree="dc=xxx.xxx.xxx.in-addr.arpa,ou=dns1,dc=example,dc=gr" attrs=children,entry by group/groupOfNames/member.exact="cn=techadmins,ou=groups,dc=example,dc=g r" write by group/groupOfNames/member.exact="cn=Dept1Admins,ou=groups,dc=example,dc= gr" read by group/groupOfNames/member.exact="cn=Dept2Admins,ou=groups,dc=example,dc= gr" write by group/groupOfNames/member.exact="cn=Dept3Admins,ou=groups,dc=example,dc= gr" read by group/groupOfNames/member.exact="cn=Dept4Admins,ou=groups,dc=example,dc= gr" read by group/groupOfNames/member.exact="cn=Dept5Admins,ou=groups,dc=example,dc= gr" read by group/groupOfNames/member.exact="cn=guestadmins,ou=groups,dc=example,dc= gr" read by dn.base="uid=dnsauthusr,ou=system,dc=example,dc=gr" read by * +0 break
Question 1. Why "group.exact" was changed to "group/groupOfNames/member.exact" ? Yes, groups are defined as entries of groupOfNames objectClass, with members defined as values of attribute "member". But should it be like that? Should we change (manually) "group/groupOfNames/member.exact" back to "group.exact" again or not (and why)?
Read the slapd.access man page.
Question 2. Is there a way we can add (manually, since conversion removed the ones which existed in initial configuration files) line breaks in olcAccess attribute value so it can be more legible (for administrative purposes)?
No, it is in LDIF format.
Question 3. What is the "+0" added before "break" and why is needed?
See the slapd.access man page. Even if you never had it in slapd.conf, it was always automatically added when slapd processed the configuration file.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
Nick Milas wrote:
Question 2. Is there a way we can add (manually, since conversion removed the ones which existed in initial configuration files) line breaks in olcAccess attribute value so it can be more legible (for administrative purposes)?
*You do not like this:*
dn: olcDatabase={-1}frontend,cn=config olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by * break olcAccess: {1}to dn.exact="" by * read olcAccess: {2}to dn.base="cn=Subschema" by * read
*but prefer something like this:*
dn: olcDatabase={-1}frontend,cn=config olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break olcAccess: to dn.exact="" by * read olcAccess: to dn.base="cn=Subschema" by * read
I think it is legible. And the openldap ldif parser is still happy.
The quite old streamline editor sed helps.
#!/bin/sed -rf # Author: Harry Jede # produce human readable but still machine parseable # olcAccess lines and removes the ordering numbers in {} # because humans don't need them, really.
# the hole script s/^(olcAccess: ){[[:digit:]]+}(.*$)/\1\2/ $!{H;d} ${H;g;s/\n //g;s/[[:space:]]+by /\n by /g}
Use the script at your own risk! I have written it some month ago and it works for me. I do not cover that an entry in an ACL has the keyword *by* in the DN. Something like this: "cn=produced by company,dc=example,dc=com"
Usage examples on a Debian system:
a) small data # ldapsearch -LLLY external -H ldapi:/// -b 'olcDatabase={1}monitor,cn=config' 'olcaccess=*' olcaccess 2>/dev/null|fmt_olcAccess
dn: olcDatabase={1}monitor,cn=config olcAccess: to * by dn.exact="cn=admin,dc=delixs-schule,dc=de" read by set="[cn=admin,dc=delixs-schule,dc=de]/roleOccupant/member & user" read by * none
b) mouch more data
slapcat -n0 |fmt_olcAccess |less
openldap-technical@openldap.org
-
harry.jede@arcor.de -
Nick Milas -
Quanah Gibson-Mount