Andrew Findlay <andrew.findlay(a)skills-1st.co.uk> wrote:
[ This is a very old thread you are resurrecting! ]
sorry, but was not able to find the answer yet
bellow is a bit long reply/commentary ...
> access to dn.subtree="ou=People,dc=foo"
> by set="[cn=admin,ou=group,dc=foo]/memberUid & user/uid"
manage
> by self write
> by users read
> by * break
>
> but in addition I need to allow my coadmins to do the same things except
> manipulations upon the objects which belong to admins (
> ...anyobject,uid=adminuser,ou=People,dc=foo )
here I meant the objects which are the children of admins object like these:
---[ LDIF 1 quotation start ]-------------------------------------------
## topmost object, "root" object, the one used for access to LDAP objects
dn: uid=adminuser,ou=People,dc=foo
...
objectClass: person
## branch for email service of talax.startrek.in domain object
dn: authorizedService=mail(a)talax.startrek.in,uid=adminuser,ou=People,dc=foo
...
objectClass: person
## email service of talax.startrek.in domain object
dn:
uid=neelix@talax.startrek.in,authorizedService=mail@talax.startrek.in,uid=adminuser,ou=People,dc=foo
...
objectClass: person
## branch for email service of rinax.startrek.in domain object
dn: authorizedService=mail(a)rinax.startrek.in,uid=adminuser,ou=People,dc=foo
...
objectClass: person
## email service of rinax.startrek.in domain object
dn:
uid=alixia@rinax.startrek.in,authorizedService=mail@rinax.startrek.in,uid=adminuser,ou=People,dc=foo
...
objectClass: person
---[ LDIF 1 quotation end ]-------------------------------------------
It depends partly on why the ACI ends with 'by * break'. What
other
rules could be applied in that case?
ok, thank you :)
now I was able to manage all it working this way:
---[ slapd.conf quotation start ]-------------------------------------------
...
## in the begining we allow admins anything
access to *
by set="[cn=admin,ou=group,ou=system,dc=foo]/memberUid & user/uid"
manage
by * break
## allowing all replicas to access the log
access to dn.children="cn=foo-accesslog"
by dn.one="ou=repl,ou=system,dc=foo" read
by * break
## allowing replica serving domain talax.startrek.in
access to
dn.regex="^uid=(.*)@talax.startrek.in,authorizedService=(mail|xmpp)@talax.startrek.in,uid=(.*),ou=People,dc=foo$"
attrs=entry,entryCSN,entryUUID, ... ,authorizedService,mu-mailBox
by dn.exact="uid=repl-talax,ou=repl,ou=system,dc=foo" read
by * break
access to dn.children="ou=talax,ou=Sendmail,dc=foo"
by dn.exact="uid=repl-talax,ou=repl,ou=system,dc=foo" read
by * stop
## allowing replica serving domain rinax.startrek.in
access to
dn.regex="^uid=(.*)@rinax.startrek.in,authorizedService=(mail|xmpp)@rinax.startrek.in,uid=(.*),ou=People,dc=foo$"
attrs=entry,entryCSN,entryUUID, ... ,authorizedService,mu-mailBox
by dn.exact="uid=repl-rinax,ou=repl,ou=system,dc=foo" read
by * break
access to dn.children="ou=talax,ou=Sendmail,dc=foo"
by dn.exact="uid=repl-rinax,ou=repl,ou=system,dc=foo" read
by * stop
## allowing access to jpegPhoto:
### replicas to search (otherwise replication failed)
### admins, coadmins, self and the topmost DN (the 1-st object in LDIF 1 sample above) to
write
access to dn.subtree="ou=People,dc=foo" attrs=jpegPhoto
by dn.one="ou=repl,ou=system,dc=foo" search
by set="[cn=admin,ou=group,ou=system,dc=foo]/memberUid & user/uid"
write
by set="[cn=coadmin,ou=group,ou=system,dc=foo]/memberUid & user/uid"
write
by set.exact="this/-2 & user" write
by self write
by * none
## likewise
access to dn.subtree="ou=People,dc=foo"
by dn.one="ou=repl,ou=system,dc=foo" search
by set="[cn=acl-w-people,ou=group,ou=system,dc=foo]/memberUid &
user/uid" write
by set="[cn=acl-r-people,ou=group,ou=system,dc=foo]/memberUid &
user/uid" read
by self write
by users read
by * none
access to dn.subtree="ou=Organizations,dc=foo"
by dn.one="ou=repl,ou=system,dc=foo" search
by set="[cn=acl-w-organizations,ou=group,ou=system,dc=foo]/memberUid &
user/uid" write
by set="[cn=acl-r-organizations,ou=group,ou=system,dc=foo]/memberUid &
user/uid" read
by users read
by * none
access to dn.subtree="ou=Inventory,dc=foo"
by dn.one="ou=repl,ou=system,dc=foo" search
by set="[cn=acl-w-inventory,ou=group,ou=system,dc=foo]/memberUid &
user/uid" write
by set="[cn=acl-r-inventory,ou=group,ou=system,dc=foo]/memberUid &
user/uid" read
by users read
by * none
access to dn.subtree="ou=group,dc=foo"
by dn.one="ou=repl,ou=system,dc=foo" search
by set="[cn=acl-w-group,ou=group,ou=system,dc=foo]/memberUid &
user/uid" write
by set="[cn=acl-r-group,ou=group,ou=system,dc=foo]/memberUid &
user/uid" read
by users read
by * none
# for `users' we set `search' because `read' allows to read all, but
# we tried to narrow what replica can get, otherwise removing it makes
# it impossible to get anything (perhaps it blocks some objects needed)
access to *
by dn.exact="uid=SPECIAL-USER,ou=People,dc=foo" manage
by set="[cn=admin,ou=group,ou=system,dc=foo]/memberUid & user/uid"
manage
by peername.ip=127.0.0.1 read
by dn.one="ou=repl,ou=system,dc=foo" search
by set="[cn=bind,ou=group,ou=system,dc=foo]/memberUid & user/uid"
read
by self read
by users read
by * none
...
---[ slapd.conf quotation end ]-------------------------------------------
In the simple case where 'by * none' would have the same
effect, you could
just put another ACI ahead of the one above so it comes out like this:
...
The problem is to write the '<expression matching the admin user DNs>'.
is there way to know whether DN is a child of the admin's one,
except to look at the end of it, whether it ends with
"uid=ADMIN-USER-TO-PROCESS,ou=People,dc=foo" ?
That would probably be easier if you were not defining admin users by
their
UID in a Posix group. Ideally there would be an attribute visible in each
entry that defines admin status, as then you could just key on that.
it implies to use the attribute for each child object of the admin object
like:
---[ LDIF 2 quotation start ]-------------------------------------------
dn: uid=adminuser,ou=People,dc=foo
belongsToAdmin: yes
...
objectClass: person
## branch for email service of talax.startrek.in domain object
dn: authorizedService=mail(a)talax.startrek.in,uid=adminuser,ou=People,dc=foo
belongsToAdmin: yes
...
objectClass: person
## email service of talax.startrek.in domain object
dn:
uid=neelix@talax.startrek.in,authorizedService=mail@talax.startrek.in,uid=adminuser,ou=People,dc=foo
belongsToAdmin: yes
...
objectClass: person
## branch for email service of rinax.startrek.in domain object
dn: authorizedService=mail(a)rinax.startrek.in,uid=adminuser,ou=People,dc=foo
belongsToAdmin: yes
...
objectClass: person
## email service of rinax.startrek.in domain object
dn:
uid=alixia@rinax.startrek.in,authorizedService=mail@rinax.startrek.in,uid=adminuser,ou=People,dc=foo
belongsToAdmin: yes
...
objectClass: person
---[ LDIF 2 quotation end ]-------------------------------------------
correct?
If your admin group is defined as a standard DN-based groupOfNames
then
you could use the memberof overlay to reflect membership into an attribute
of the user entry.
it implies to provide all admin's children dn-s as member for such a group
like
---[ LDIF 3 quotation start ]-------------------------------------------
dn: cn=admin,ou=group,ou=system,dc=foo
cn: admin
member: uid=adminuser,ou=People,dc=foo
member: authorizedService=mail(a)talax.startrek.in,uid=adminuser,ou=People,dc=foo
member:
uid=neelix@talax.startrek.in,authorizedService=mail@talax.startrek.in,uid=adminuser,ou=People,dc=foo
member: authorizedService=mail(a)rinax.startrek.in,uid=adminuser,ou=People,dc=foo
member:
uid=alixia@rinax.startrek.in,authorizedService=mail@rinax.startrek.in,uid=adminuser,ou=People,dc=foo
objectClass: groupOfNames
---[ LDIF 3 quotation end ]-------------------------------------------
correct?
--
Zeus V. Panchenko jid:zeus@im.ibs.dn.ua
IT Dpt., I.B.S. LLC GMT+2 (EET)