Hello all,
I would like to start use of olcAccess rules, are there human-friendly editor for that ACLs? I can't even use line breaks in ldif file to make my restrictions a bit more readable! I strongly dislike very long string values, one day this will cause mistake and access violation.
I've tried with Apache DS, ldif import and few puppet modules, everything require huge line ACL.
Any help will be welcome.
On Nov 10, 2015, at 00.49, Bogdan Rudas brudas@exadel.com wrote:
Hello all,
I would like to start use of olcAccess rules, are there human-friendly editor for that ACLs? I can't even use line breaks in ldif file to make my restrictions a bit more readable! I strongly dislike very long string values, one day this will cause mistake and access violation.
I've tried with Apache DS, ldif import and few puppet modules, everything require huge line ACL.
Any help will be welcome.
see
http://www.openldap.org/cgi-bin/wilma_hiliter/openldap-technical/201009/msg0...
-ben
Bogdan Rudas wrote:
I would like to start use of olcAccess rules, are there human-friendly editor for that ACLs? I can't even use line breaks in ldif file to make my restrictions a bit more readable! I strongly dislike very long string values, one day this will cause mistake and access violation.
That's the reason why I still strongly recommend to use static configuration files, especially when setting up slapd via puppet with .erb templates.
Last week I had to modify some ACLs in cn=config. It took me much more time to do this than modifying a static configuration.
I'm currently playing with 'olcAccess' attribute handling in my web2ldap. It's very cumbersome: Normally web2ldap trys to preserve exactly what's in a LDAP entry when generating the input form for modification so that there won't be any modification if the user did not alter any value but accidently hit the submit button. I could not figure out how to achieve this with all the white-spacing variants olcAccess values can contain because normalizing the values in some way would likely lead to a different value.
Ciao, Michael.
Bogdan Rudas wrote:
Hello all,
I would like to start use of olcAccess rules, are there human-friendly editor for that ACLs?
Use any editor you wish. It is just text!
I can't even use line breaks in ldif file to make my restrictions a bit more readable!
One can use line breaks, no problem. But understanding ldif file syntax is important.
Often one have very long lines in ldif files.
A standard terminal has a width of 80 characters. Longer lines get broken at charakter 78. 79 charakter is a newline "\n", 80 character is one space " ". So the output you get looks like this:
line no text 1 "78 byte" + "\n" 2 "one space" + "next 78 bytes + "\n" 3 "one space" + "next 78 bytes + "\n"
This happens during a ldapsearch operation. If you upload this ldif to a ldapserver these two bytes "\n " will be removed.
Conclusion: One may add a newline to a ldif file by adding two characters "\n + space". You may add as many newline you wish.
i.e.
open l a p
becomes "openlap" after opload.
open l a p
becomes "open l ap" after upload
I strongly dislike very long string values, one day this will cause mistake and access violation.
I've tried with Apache DS, ldif import and few puppet modules, everything require huge line ACL.
No, not really. They just require proper formated ldif input. man ldif, section "ENTRY RECORD EXAMPLE", attribute jpegPhoto
Any help will be welcome.
read this thread: http://www.openldap.org/lists/openldap-technical/201402/threads.html#00105
here is a small filter which may help you:
# cat $(which fmt_olcAccess)
#!/bin/sed -rf # Author: Harry Jede # produce human readable but still machine parseable # olcAccess lines and removes the ordering numbers in {} # because humans don't need them, really.
# the hole script s/^(olcAccess: ){[[:digit:]]+}(.*$)/\1\2/ $!{H;d} ${H;g;s/\n //g;s/[[:space:]]+by /\n by /g}
info sed explains the commands in short line 1: removes the ordering numbers line 2: concatenate all lines into hold buffer line 3: move hold buffer back to pattern buffer s/\n //g delete any occurance of "\n " finally search for " by" and add a ldif line break in front of " by"
openldap-technical@openldap.org
-
Bogdan Rudas -
btb@bitrate.net -
Harry Jede -
Michael Ströder