9:49 p.m.
Hello all,
I would like to start use of olcAccess rules, are there human-friendly
editor for that ACLs?
I can't even use line breaks in ldif file to make my restrictions a bit
more readable! I strongly dislike very long string values, one day this
will cause mistake and access violation.
I've tried with Apache DS, ldif import and few puppet modules, everything
require huge line ACL.
Any help will be welcome.
--
Bogdan Rudas
Head of Minsk IT Support Department
Exadel Inc.
http://www.exadel.com/
E-mail: brudas(a)exadel.com <mandrushkevich(a)exadel.com>
Skype ID: bogdan.rudas
--
CONFIDENTIALITY NOTICE: This email and files attached to it are
confidential. If you are not the intended recipient you are hereby notified
that using, copying, distributing or taking any action in reliance on the
contents of this information is strictly prohibited. If you have received
this email in error please notify the sender and delete this email.
5:42 p.m.
On Nov 10, 2015, at 00.49, Bogdan Rudas <brudas(a)exadel.com> wrote:
Hello all,
I would like to start use of olcAccess rules, are there human-friendly editor for that
ACLs?
I can't even use line breaks in ldif file to make my restrictions a bit more
readable! I strongly dislike very long string values, one day this will cause mistake and
access violation.
I've tried with Apache DS, ldif import and few puppet modules, everything require
huge line ACL.
Any help will be welcome.
see
http://www.openldap.org/cgi-bin/wilma_hiliter/openldap-technical/201009/m...
-ben
8:48 a.m.
Bogdan Rudas wrote:
I would like to start use of olcAccess rules, are there
human-friendly
editor for that ACLs?
I can't even use line breaks in ldif file to make my restrictions a bit
more readable! I strongly dislike very long string values, one day this
will cause mistake and access violation.
That's the reason why I still strongly recommend to use static configuration
files, especially when setting up slapd via puppet with .erb templates.
Last week I had to modify some ACLs in cn=config. It took me much more time to
do this than modifying a static configuration.
I'm currently playing with 'olcAccess' attribute handling in my web2ldap.
It's very cumbersome:
Normally web2ldap trys to preserve exactly what's in a LDAP entry when
generating the input form for modification so that there won't be any
modification if the user did not alter any value but accidently hit the submit
button. I could not figure out how to achieve this with all the white-spacing
variants olcAccess values can contain because normalizing the values in some
way would likely lead to a different value.
Ciao, Michael.
4:28 a.m.
Bogdan Rudas wrote:
Hello all,
I would like to start use of olcAccess rules, are there
human-friendly editor for that ACLs?
Use any editor you wish. It is just text!
I can't even use line breaks in ldif file to make my restrictions
a
bit more readable!
One can use line breaks, no problem. But understanding ldif
file
syntax is important.
Often one have very long lines in ldif files.
A standard terminal has a width of 80 characters. Longer lines get
broken at charakter 78. 79 charakter is a newline "\n", 80 character
is one space " ". So the output you get looks like this:
line no text
1 "78 byte" + "\n"
2 "one space" + "next 78 bytes + "\n"
3 "one space" + "next 78 bytes + "\n"
This happens during a ldapsearch operation. If you upload this
ldif to a ldapserver these two bytes "\n " will be removed.
Conclusion:
One may add a newline to a ldif file by adding two characters
"\n + space". You may add as many newline you wish.
i.e.
open
l
a
p
becomes "openlap" after opload.
open
l
a
p
becomes "open l ap" after upload
I strongly dislike very long string values, one
day this will cause mistake and access violation.
I've tried with Apache DS, ldif import and few puppet modules,
everything require huge line ACL.
No, not really. They just require proper formated
ldif input.
man ldif, section "ENTRY RECORD EXAMPLE", attribute jpegPhoto
Any help will be welcome.
read this thread:
http://www.openldap.org/lists/openldap-technical/201402/threads.html#00105
here is a small filter which may help you:
# cat $(which fmt_olcAccess)
#!/bin/sed -rf
# Author: Harry Jede
# produce human readable but still machine parseable
# olcAccess lines and removes the ordering numbers in {}
# because humans don't need them, really.
# the hole script
s/^(olcAccess: )\{[[:digit:]]+\}(.*$)/\1\2/
$!{H;d}
${H;g;s/\n //g;s/[[:space:]]+by /\n by /g}
info sed explains the commands
in short
line 1: removes the ordering numbers
line 2: concatenate all lines into hold buffer
line 3: move hold buffer back to pattern buffer
s/\n //g delete any occurance of "\n "
finally search for " by" and add a
ldif line break in front of " by"
--
Harry Jede
2861
days inactive
2873
days old
openldap-technical@openldap.org
3 comments
4 participants
participants (4)
-
Bogdan Rudas -
btb@bitrate.net -
Harry Jede -
Michael Ströder