hi,
I'm trying to configure a not complex (as I believe) ACL ... but have some difficulties
I have two posixGroup groups
cn=admins,ou=group,dc=foo cn=coadmins,ou=group,dc=foo
my users resides in ou=People,dc=foo
so, in subtree ou=People,dc=foo I need to allow anything to admins (and it is not difficult of course)
for example this works for me:
access to dn.subtree="ou=People,dc=foo" by set="[cn=admin,ou=group,dc=foo]/memberUid & user/uid" manage by self write by users read by * break
but in addition I need to allow my coadmins to do the same things except manipulations upon the objects which belong to admins ( ...anyobject,uid=adminuser,ou=People,dc=foo )
so, the question is: how? (if it is possible at all) :(
please, advise
[ This is a very old thread you are resurrecting! ]
On Fri, Sep 09, 2016 at 01:51:47PM +0300, Zeus Panchenko wrote:
I have two posixGroup groups
cn=admins,ou=group,dc=foo cn=coadmins,ou=group,dc=foo
my users resides in ou=People,dc=foo
so, in subtree ou=People,dc=foo I need to allow anything to admins (and it is not difficult of course)
for example this works for me:
access to dn.subtree="ou=People,dc=foo" by set="[cn=admin,ou=group,dc=foo]/memberUid & user/uid" manage by self write by users read by * break
but in addition I need to allow my coadmins to do the same things except manipulations upon the objects which belong to admins ( ...anyobject,uid=adminuser,ou=People,dc=foo )
so, the question is: how? (if it is possible at all) :(
It depends partly on why the ACI ends with 'by * break'. What other rules could be applied in that case?
In the simple case where 'by * none' would have the same effect, you could just put another ACI ahead of the one above so it comes out like this:
access to <expression matching the admin user DNs> by self write by users read by * none
access to dn.subtree="ou=People,dc=foo" by set="[cn=admin,ou=group,dc=foo]/memberUid & user/uid" manage by self write by users read by * none
The problem is to write the '<expression matching the admin user DNs>'. That would probably be easier if you were not defining admin users by their UID in a Posix group. Ideally there would be an attribute visible in each entry that defines admin status, as then you could just key on that. If your admin group is defined as a standard DN-based groupOfNames then you could use the memberof overlay to reflect membership into an attribute of the user entry.
Andrew
Andrew Findlay andrew.findlay@skills-1st.co.uk wrote:
[ This is a very old thread you are resurrecting! ]
sorry, but was not able to find the answer yet bellow is a bit long reply/commentary ...
access to dn.subtree="ou=People,dc=foo" by set="[cn=admin,ou=group,dc=foo]/memberUid & user/uid" manage by self write by users read by * break
but in addition I need to allow my coadmins to do the same things except manipulations upon the objects which belong to admins ( ...anyobject,uid=adminuser,ou=People,dc=foo )
here I meant the objects which are the children of admins object like these:
---[ LDIF 1 quotation start ]------------------------------------------- ## topmost object, "root" object, the one used for access to LDAP objects dn: uid=adminuser,ou=People,dc=foo ... objectClass: person
## branch for email service of talax.startrek.in domain object dn: authorizedService=mail@talax.startrek.in,uid=adminuser,ou=People,dc=foo ... objectClass: person
## email service of talax.startrek.in domain object dn: uid=neelix@talax.startrek.in,authorizedService=mail@talax.startrek.in,uid=adminuser,ou=People,dc=foo ... objectClass: person
## branch for email service of rinax.startrek.in domain object dn: authorizedService=mail@rinax.startrek.in,uid=adminuser,ou=People,dc=foo ... objectClass: person
## email service of rinax.startrek.in domain object dn: uid=alixia@rinax.startrek.in,authorizedService=mail@rinax.startrek.in,uid=adminuser,ou=People,dc=foo ... objectClass: person ---[ LDIF 1 quotation end ]-------------------------------------------
It depends partly on why the ACI ends with 'by * break'. What other rules could be applied in that case?
ok, thank you :) now I was able to manage all it working this way:
---[ slapd.conf quotation start ]------------------------------------------- ... ## in the begining we allow admins anything access to * by set="[cn=admin,ou=group,ou=system,dc=foo]/memberUid & user/uid" manage by * break
## allowing all replicas to access the log access to dn.children="cn=foo-accesslog" by dn.one="ou=repl,ou=system,dc=foo" read by * break
## allowing replica serving domain talax.startrek.in access to dn.regex="^uid=(.*)@talax.startrek.in,authorizedService=(mail|xmpp)@talax.startrek.in,uid=(.*),ou=People,dc=foo$" attrs=entry,entryCSN,entryUUID, ... ,authorizedService,mu-mailBox by dn.exact="uid=repl-talax,ou=repl,ou=system,dc=foo" read by * break
access to dn.children="ou=talax,ou=Sendmail,dc=foo" by dn.exact="uid=repl-talax,ou=repl,ou=system,dc=foo" read by * stop
## allowing replica serving domain rinax.startrek.in access to dn.regex="^uid=(.*)@rinax.startrek.in,authorizedService=(mail|xmpp)@rinax.startrek.in,uid=(.*),ou=People,dc=foo$" attrs=entry,entryCSN,entryUUID, ... ,authorizedService,mu-mailBox by dn.exact="uid=repl-rinax,ou=repl,ou=system,dc=foo" read by * break
access to dn.children="ou=talax,ou=Sendmail,dc=foo" by dn.exact="uid=repl-rinax,ou=repl,ou=system,dc=foo" read by * stop
## allowing access to jpegPhoto: ### replicas to search (otherwise replication failed) ### admins, coadmins, self and the topmost DN (the 1-st object in LDIF 1 sample above) to write access to dn.subtree="ou=People,dc=foo" attrs=jpegPhoto by dn.one="ou=repl,ou=system,dc=foo" search by set="[cn=admin,ou=group,ou=system,dc=foo]/memberUid & user/uid" write by set="[cn=coadmin,ou=group,ou=system,dc=foo]/memberUid & user/uid" write by set.exact="this/-2 & user" write by self write by * none
## likewise access to dn.subtree="ou=People,dc=foo" by dn.one="ou=repl,ou=system,dc=foo" search by set="[cn=acl-w-people,ou=group,ou=system,dc=foo]/memberUid & user/uid" write by set="[cn=acl-r-people,ou=group,ou=system,dc=foo]/memberUid & user/uid" read by self write by users read by * none
access to dn.subtree="ou=Organizations,dc=foo" by dn.one="ou=repl,ou=system,dc=foo" search by set="[cn=acl-w-organizations,ou=group,ou=system,dc=foo]/memberUid & user/uid" write by set="[cn=acl-r-organizations,ou=group,ou=system,dc=foo]/memberUid & user/uid" read by users read by * none
access to dn.subtree="ou=Inventory,dc=foo" by dn.one="ou=repl,ou=system,dc=foo" search by set="[cn=acl-w-inventory,ou=group,ou=system,dc=foo]/memberUid & user/uid" write by set="[cn=acl-r-inventory,ou=group,ou=system,dc=foo]/memberUid & user/uid" read by users read by * none
access to dn.subtree="ou=group,dc=foo" by dn.one="ou=repl,ou=system,dc=foo" search by set="[cn=acl-w-group,ou=group,ou=system,dc=foo]/memberUid & user/uid" write by set="[cn=acl-r-group,ou=group,ou=system,dc=foo]/memberUid & user/uid" read by users read by * none
# for `users' we set `search' because `read' allows to read all, but # we tried to narrow what replica can get, otherwise removing it makes # it impossible to get anything (perhaps it blocks some objects needed) access to * by dn.exact="uid=SPECIAL-USER,ou=People,dc=foo" manage by set="[cn=admin,ou=group,ou=system,dc=foo]/memberUid & user/uid" manage by peername.ip=127.0.0.1 read by dn.one="ou=repl,ou=system,dc=foo" search by set="[cn=bind,ou=group,ou=system,dc=foo]/memberUid & user/uid" read by self read by users read by * none ... ---[ slapd.conf quotation end ]-------------------------------------------
In the simple case where 'by * none' would have the same effect, you could just put another ACI ahead of the one above so it comes out like this: ... The problem is to write the '<expression matching the admin user DNs>'.
is there way to know whether DN is a child of the admin's one, except to look at the end of it, whether it ends with "uid=ADMIN-USER-TO-PROCESS,ou=People,dc=foo" ?
That would probably be easier if you were not defining admin users by their UID in a Posix group. Ideally there would be an attribute visible in each entry that defines admin status, as then you could just key on that.
it implies to use the attribute for each child object of the admin object
like:
---[ LDIF 2 quotation start ]------------------------------------------- dn: uid=adminuser,ou=People,dc=foo belongsToAdmin: yes ... objectClass: person
## branch for email service of talax.startrek.in domain object dn: authorizedService=mail@talax.startrek.in,uid=adminuser,ou=People,dc=foo belongsToAdmin: yes ... objectClass: person
## email service of talax.startrek.in domain object dn: uid=neelix@talax.startrek.in,authorizedService=mail@talax.startrek.in,uid=adminuser,ou=People,dc=foo belongsToAdmin: yes ... objectClass: person
## branch for email service of rinax.startrek.in domain object dn: authorizedService=mail@rinax.startrek.in,uid=adminuser,ou=People,dc=foo belongsToAdmin: yes ... objectClass: person
## email service of rinax.startrek.in domain object dn: uid=alixia@rinax.startrek.in,authorizedService=mail@rinax.startrek.in,uid=adminuser,ou=People,dc=foo belongsToAdmin: yes ... objectClass: person ---[ LDIF 2 quotation end ]-------------------------------------------
correct?
If your admin group is defined as a standard DN-based groupOfNames then you could use the memberof overlay to reflect membership into an attribute of the user entry.
it implies to provide all admin's children dn-s as member for such a group
like
---[ LDIF 3 quotation start ]------------------------------------------- dn: cn=admin,ou=group,ou=system,dc=foo cn: admin member: uid=adminuser,ou=People,dc=foo member: authorizedService=mail@talax.startrek.in,uid=adminuser,ou=People,dc=foo member: uid=neelix@talax.startrek.in,authorizedService=mail@talax.startrek.in,uid=adminuser,ou=People,dc=foo member: authorizedService=mail@rinax.startrek.in,uid=adminuser,ou=People,dc=foo member: uid=alixia@rinax.startrek.in,authorizedService=mail@rinax.startrek.in,uid=adminuser,ou=People,dc=foo objectClass: groupOfNames ---[ LDIF 3 quotation end ]-------------------------------------------
correct?
openldap-technical@openldap.org
-
Andrew Findlay -
Zeus Panchenko