ACL advice needed ... - openldap-technical

5 Dec 2016


      -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
greetings,
I'm trying to configure ACL, I belive it is possible to ... but after
some attempts I doubt it is ...
please, help me to understand where I'm making the mistake/s ...
I need to manage possibility for "coadmins" group members to manage all
except the objects of "admins" group members
forgive me please my long explanation ...
so I have:
Important: the starting point in my case is auth accounts structure:
users do auth with (lets call it) "root" objects (most upper level):
uid=<USER>,ou=People,dc=abc
- ---[ accounts and groups start ]-------------------------------------------
dn: uid=admin1,ou=People,dc=abc
dn: uid=admin7,ou=People,dc=abc
dn: uid=bil,authorizedService=serviceD,uid=admin7,ou=People,dc=abc
dn: uid=coadmin5,ou=People,dc=abc
dn: uid=johndoe,authorizedService=serviceA,uid=coadmin5,ou=People,dc=abc
dn: uid=coadmin6,ou=People,dc=abc
dn: cn=admins,dc=abc
memberUid: admin1
- ---[ accounts and groups end   ]-------------------------------------------
group objects memberUid attribute value contains uid of the "root"
objects
- ---[ group structure start ]-------------------------------------------
dn: cn=coadmins,ou=group,dc=abc
memberUid: coadmin5
memberUid: coadmin6
- ---[ group structure end   ]-------------------------------------------
here is the ACL I managed to work as I want:
- ---[ quotation start ]-------------------------------------------
access to dn.subtree="dc=abc" attrs=userPassword
        by set="[cn=admin,ou=group,dc=abc]/memberUid & user/uid" manage
        by set.exact="this/-2 & user" write
        by self write
        by anonymous auth
        by * break
- ---[ quotation end   ]-------------------------------------------
this allows admins to manage passwords of anybody and for all other
users manage passwords of self "root" account and service accounts (look
structure of account objects above)
and now, I had a hope to do the same to get possibility for coadmins to manage
passwords of anybody except admins, and here what I thought about:
- ---[ quotation start ]-------------------------------------------
access to dn.subtree="dc=abc" attrs=userPassword
        by set="[cn=admin,ou=group,dc=abc]/memberUid & user/uid" manage
        by set="(([cn=admin,ou=group,dc=abc]/memberUid & this/uid) | ([cn=admin,ou=group,dc=abc]/memberUid & [this/-2]/uid)) & ([cn=coadmin,ou=group,dc=abc]/memberUid & user/uid)" disclose
        by set="[cn=coadmin,ou=group,dc=abc]/memberUid & user/uid" manage
        by set.exact="this/-2 & user" write
        by self write
        by anonymous auth
        by * break
- ---[ quotation end   ]-------------------------------------------
and it doesn't work
the initial idea of the second `by set=' row is:
for coadmins to disallow all access to userPassword if account belongs to admin
am I right to expect:
1.1. "[cn=admin,ou=group,dc=abc]/memberUid & this/uid" 
     is true if uid of current record is member of the group `admin'
when `this' is the very "root" account (uid=admin7,ou=People,dc=abc)
1.2. "[cn=admin,ou=group,dc=abc]/memberUid & [this/-2]/uid"
     uid of the "root" account (uid=admin7,ou=People,dc=abc) is admin group member
when `this' is service account like:
     uid=bil,authorizedService=serviceD,uid=admin7,ou=People,dc=abc
     `this/-2' trimms it to `uid=admin7,ou=People,dc=abc' and `/uid' have to provide uid value
1.3. "[cn=coadmin,ou=group,dc=abc]/memberUid & user/uid"
     true if currently loggedin user uid is coadmin group member
so ... was I successfull to explain what I want? :)
- -- 
Zeus V. Panchenko				jid:zeus@im.ibs.dn.ua
IT Dpt., I.B.S. LLC					  GMT+2 (EET)
...PGP SIGNATURE...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlhFk1kACgkQr3jpPg/3oyp7XgCggcp9Y909JRQOknE7GkgjmZpw
/sYAoIyimb3gcy38qZAjlyHfbF+rH63a
=aqts
-----END PGP SIGNATURE-----