Hello
In ACL, the attrs=foo val.regex="^(.*)$" construct allows filtering on the new value for an attribute.
Using sets in the who clauses this new value can be matched as ${v0} against current attributes values. But what about if we want to match against another new attribute value? I currently run 2.4.33, and there is no way to have multiple attrs=foo val.regex="^(.*)$" statements in the what clause. Has this changed in later releases? Or is there another way of doing it?
Replying to myself:
Reading latest code from git, I can tell that there is no way to craft an ACL using val for multiple attributes. Such a concept is difficult to specify anyway: if I imagine something like this: access to attrs=foo val.regex="^(.*)$" attrs=bar val.regex="^(.*)$"
We can immagine we find foo's new value in ${v1} and bar's new value in ${v2}, but ${v0} remains difficult to define. And then there is the problem of how to handle multivalued attributes.
I came to the conclusion that this is not The Right Way of doing it, hence I had another idea: I could use an overlay that creates dynamic attributes based on other attribute's values. Some kind of buz = printf("%s-%s", foo, bar) functionnality and use val.regex against this buz dynamic attribute.
Questions 1) Does it already exist? Perhaps slapo-rwm is able to do something like this? 2) If not then I could implement it, but how feasible is it? Are overlays able to tweak an add or modify request, to add an attribute before it hits the ACL layer?
Emmanuel Dreyfus manu@netbsd.org wrote:
In ACL, the attrs=foo val.regex="^(.*)$" construct allows filtering on the new value for an attribute.
Using sets in the who clauses this new value can be matched as ${v0} against current attributes values. But what about if we want to match against another new attribute value? I currently run 2.4.33, and there is no way to have multiple attrs=foo val.regex="^(.*)$" statements in the what clause. Has this changed in later releases? Or is there another way of doing it?
Frankly I don't understand in detail what you want to achieve.
But first of all: Did you set "add_content_acl on" in your slapd.conf (or similar in back-config)?
Ciao, Michael.
Emmanuel Dreyfus wrote:
Replying to myself:
Reading latest code from git, I can tell that there is no way to craft an ACL using val for multiple attributes. Such a concept is difficult to specify anyway: if I imagine something like this: access to attrs=foo val.regex="^(.*)$" attrs=bar val.regex="^(.*)$"
We can immagine we find foo's new value in ${v1} and bar's new value in ${v2}, but ${v0} remains difficult to define. And then there is the problem of how to handle multivalued attributes.
I came to the conclusion that this is not The Right Way of doing it, hence I had another idea: I could use an overlay that creates dynamic attributes based on other attribute's values. Some kind of buz = printf("%s-%s", foo, bar) functionnality and use val.regex against this buz dynamic attribute.
Questions
- Does it already exist? Perhaps slapo-rwm is able to do something like
this? 2) If not then I could implement it, but how feasible is it? Are overlays able to tweak an add or modify request, to add an attribute before it hits the ACL layer?
Emmanuel Dreyfus manu@netbsd.org wrote:
In ACL, the attrs=foo val.regex="^(.*)$" construct allows filtering on the new value for an attribute.
Using sets in the who clauses this new value can be matched as ${v0} against current attributes values. But what about if we want to match against another new attribute value? I currently run 2.4.33, and there is no way to have multiple attrs=foo val.regex="^(.*)$" statements in the what clause. Has this changed in later releases? Or is there another way of doing it?
On Tue, Dec 09, 2014 at 03:36:25PM +0100, Michael Ströder wrote:
Frankly I don't understand in detail what you want to achieve.
Let me try to rephrase.
Such ACL construct let me match new foo's values as ${v1} in to rules: access to attrs=foo val="^(.*)$"
Now my problem is that I would want to do this with two attributes. I came to the conclusion that a solution would be to have a dynamic attribute automatically created from the two attributes. Let us say that dynattr is created like printf("%s-%s", foo, bar), I can do something like this and have foo new value in ${v1} and bar new value in ${v2} access to attrs=dynattr val="^(.*)-(.*)$"
I could write an overlay to have This dynamic attribute generated, but I wonder if it can be done with existing tools.
But first of all: Did you set "add_content_acl on" in your slapd.conf (or similar in back-config)?
Yes. IIRC I contributed the patch for this option :-)
Emmanuel Dreyfus wrote:
On Tue, Dec 09, 2014 at 03:36:25PM +0100, Michael Ströder wrote:
Frankly I don't understand in detail what you want to achieve.
Let me try to rephrase.
Such ACL construct let me match new foo's values as ${v1} in to rules: access to attrs=foo val="^(.*)$"
Yes, I know what it's for. I'm making heavy use of it.
Now my problem is that I would want to do this with two attributes.
You should be more clear. Really two separate attributes or two distinct attribute values? Why can't you just use two different ACLs? It's still not clear to me.
But first of all: Did you set "add_content_acl on" in your slapd.conf (or similar in back-config)?
Yes. IIRC I contributed the patch for this option :-)
But sometimes one forgets to even make use of own good stuff. ;-)
Ciao, Michael.
On Tue, Dec 09, 2014 at 04:02:42PM +0100, Michael Ströder wrote:
You should be more clear. Really two separate attributes or two distinct attribute values? Why can't you just use two different ACLs? It's still not clear to me.
Because I would like to allow/deny some values of first attribute depending on values of the second. e.g.: foo cannot be set to X if bar is set.
If I use two ACL, I understand I am testing the new foo value against existing bar values: if the modify operation replace both foo and bar, I cannot enforce my rule.
Emmanuel Dreyfus wrote:
On Tue, Dec 09, 2014 at 04:02:42PM +0100, Michael Ströder wrote:
You should be more clear. Really two separate attributes or two distinct attribute values? Why can't you just use two different ACLs? It's still not clear to me.
Because I would like to allow/deny some values of first attribute depending on values of the second. e.g.: foo cannot be set to X if bar is set.
How about using break/continue to influence the ACL control flow? Can get tricky though.
Ciao, Michael.
manu@netbsd.org (Emmanuel Dreyfus) wrote:
Replying to myself:
Reading latest code from git, I can tell that there is no way to craft an ACL using val for multiple attributes. Such a concept is difficult to specify anyway: if I imagine something like this: access to attrs=foo val.regex="^(.*)$" attrs=bar val.regex="^(.*)$"
We can immagine we find foo's new value in ${v1} and bar's new value in ${v2}, but ${v0} remains difficult to define. And then there is the problem of how to handle multivalued attributes.
I came to the conclusion that this is not The Right Way of doing it, hence I had another idea: I could use an overlay that creates dynamic attributes based on other attribute's values. Some kind of buz = printf("%s-%s", foo, bar) functionnality and use val.regex against this buz dynamic attribute.
Questions
- Does it already exist? Perhaps slapo-rwm is able to do something like
this?
As documented in its manpage, slapo-rwm only rewrites DN-valued attributes.
- If not then I could implement it, but how feasible is it? Are
overlays able to tweak an add or modify request, to add an attribute before it hits the ACL layer?
Sure.
Emmanuel Dreyfus manu@netbsd.org wrote:
In ACL, the attrs=foo val.regex="^(.*)$" construct allows filtering on the new value for an attribute.
Using sets in the who clauses this new value can be matched as ${v0} against current attributes values. But what about if we want to match against another new attribute value? I currently run 2.4.33, and there is no way to have multiple attrs=foo val.regex="^(.*)$" statements in the what clause. Has this changed in later releases? Or is there another way of doing it?
Emmanuel Dreyfus wrote:
Hello
In ACL, the attrs=foo val.regex="^(.*)$" construct allows filtering on the new value for an attribute.
Using sets in the who clauses this new value can be matched as ${v0} against current attributes values. But what about if we want to match against another new attribute value? I currently run 2.4.33, and there is no way to have multiple attrs=foo val.regex="^(.*)$" statements in the what clause. Has this changed in later releases?
No, this has not changed.
Or is there another way of doing it?
Use a separate clause for a different value.
openldap-technical@openldap.org
-
Emmanuel Dreyfus -
Howard Chu -
manu@netbsd.org
-
Michael Ströder