3:51 a.m.
hi,
I'm trying to configure a not complex (as I believe) ACL ... but have some
difficulties
I have two posixGroup groups
cn=admins,ou=group,dc=foo
cn=coadmins,ou=group,dc=foo
my users resides in ou=People,dc=foo
so, in subtree ou=People,dc=foo I need to allow anything to admins (and
it is not difficult of course)
for example this works for me:
access to dn.subtree="ou=People,dc=foo"
by set="[cn=admin,ou=group,dc=foo]/memberUid & user/uid" manage
by self write
by users read
by * break
but in addition I need to allow my coadmins to do the same things except
manipulations upon the objects which belong to admins (
...anyobject,uid=adminuser,ou=People,dc=foo )
so, the question is: how? (if it is possible at all) :(
please, advise
--
Zeus V. Panchenko jid:zeus@im.ibs.dn.ua
IT Dpt., I.B.S. LLC GMT+2 (EET)
8:32 a.m.
[ This is a very old thread you are resurrecting! ]
On Fri, Sep 09, 2016 at 01:51:47PM +0300, Zeus Panchenko wrote:
I have two posixGroup groups
cn=admins,ou=group,dc=foo
cn=coadmins,ou=group,dc=foo
my users resides in ou=People,dc=foo
so, in subtree ou=People,dc=foo I need to allow anything to admins (and
it is not difficult of course)
for example this works for me:
access to dn.subtree="ou=People,dc=foo"
by set="[cn=admin,ou=group,dc=foo]/memberUid & user/uid" manage
by self write
by users read
by * break
but in addition I need to allow my coadmins to do the same things except
manipulations upon the objects which belong to admins (
...anyobject,uid=adminuser,ou=People,dc=foo )
so, the question is: how? (if it is possible at all) :(
It depends partly on why the ACI ends with 'by * break'. What other
rules could be applied in that case?
In the simple case where 'by * none' would have the same effect, you could
just put another ACI ahead of the one above so it comes out like this:
access to <expression matching the admin user DNs>
by self write
by users read
by * none
access to dn.subtree="ou=People,dc=foo"
by set="[cn=admin,ou=group,dc=foo]/memberUid & user/uid" manage
by self write
by users read
by * none
The problem is to write the '<expression matching the admin user DNs>'.
That would probably be easier if you were not defining admin users by their
UID in a Posix group. Ideally there would be an attribute visible in each
entry that defines admin status, as then you could just key on that.
If your admin group is defined as a standard DN-based groupOfNames then
you could use the memberof overlay to reflect membership into an attribute
of the user entry.
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------
3:28 a.m.
Andrew Findlay <andrew.findlay(a)skills-1st.co.uk> wrote:
[ This is a very old thread you are resurrecting! ]
sorry, but was not able to find the answer yet
bellow is a bit long reply/commentary ...
> access to dn.subtree="ou=People,dc=foo"
> by set="[cn=admin,ou=group,dc=foo]/memberUid & user/uid"
manage
> by self write
> by users read
> by * break
>
> but in addition I need to allow my coadmins to do the same things except
> manipulations upon the objects which belong to admins (
> ...anyobject,uid=adminuser,ou=People,dc=foo )
here I meant the objects which are the children of admins object like these:
---[ LDIF 1 quotation start ]-------------------------------------------
## topmost object, "root" object, the one used for access to LDAP objects
dn: uid=adminuser,ou=People,dc=foo
...
objectClass: person
## branch for email service of talax.startrek.in domain object
dn: authorizedService=mail(a)talax.startrek.in,uid=adminuser,ou=People,dc=foo
...
objectClass: person
## email service of talax.startrek.in domain object
dn:
uid=neelix@talax.startrek.in,authorizedService=mail@talax.startrek.in,uid=adminuser,ou=People,dc=foo
...
objectClass: person
## branch for email service of rinax.startrek.in domain object
dn: authorizedService=mail(a)rinax.startrek.in,uid=adminuser,ou=People,dc=foo
...
objectClass: person
## email service of rinax.startrek.in domain object
dn:
uid=alixia@rinax.startrek.in,authorizedService=mail@rinax.startrek.in,uid=adminuser,ou=People,dc=foo
...
objectClass: person
---[ LDIF 1 quotation end ]-------------------------------------------
It depends partly on why the ACI ends with 'by * break'. What
other
rules could be applied in that case?
ok, thank you :)
now I was able to manage all it working this way:
---[ slapd.conf quotation start ]-------------------------------------------
...
## in the begining we allow admins anything
access to *
by set="[cn=admin,ou=group,ou=system,dc=foo]/memberUid & user/uid"
manage
by * break
## allowing all replicas to access the log
access to dn.children="cn=foo-accesslog"
by dn.one="ou=repl,ou=system,dc=foo" read
by * break
## allowing replica serving domain talax.startrek.in
access to
dn.regex="^uid=(.*)@talax.startrek.in,authorizedService=(mail|xmpp)@talax.startrek.in,uid=(.*),ou=People,dc=foo$"
attrs=entry,entryCSN,entryUUID, ... ,authorizedService,mu-mailBox
by dn.exact="uid=repl-talax,ou=repl,ou=system,dc=foo" read
by * break
access to dn.children="ou=talax,ou=Sendmail,dc=foo"
by dn.exact="uid=repl-talax,ou=repl,ou=system,dc=foo" read
by * stop
## allowing replica serving domain rinax.startrek.in
access to
dn.regex="^uid=(.*)@rinax.startrek.in,authorizedService=(mail|xmpp)@rinax.startrek.in,uid=(.*),ou=People,dc=foo$"
attrs=entry,entryCSN,entryUUID, ... ,authorizedService,mu-mailBox
by dn.exact="uid=repl-rinax,ou=repl,ou=system,dc=foo" read
by * break
access to dn.children="ou=talax,ou=Sendmail,dc=foo"
by dn.exact="uid=repl-rinax,ou=repl,ou=system,dc=foo" read
by * stop
## allowing access to jpegPhoto:
### replicas to search (otherwise replication failed)
### admins, coadmins, self and the topmost DN (the 1-st object in LDIF 1 sample above) to
write
access to dn.subtree="ou=People,dc=foo" attrs=jpegPhoto
by dn.one="ou=repl,ou=system,dc=foo" search
by set="[cn=admin,ou=group,ou=system,dc=foo]/memberUid & user/uid"
write
by set="[cn=coadmin,ou=group,ou=system,dc=foo]/memberUid & user/uid"
write
by set.exact="this/-2 & user" write
by self write
by * none
## likewise
access to dn.subtree="ou=People,dc=foo"
by dn.one="ou=repl,ou=system,dc=foo" search
by set="[cn=acl-w-people,ou=group,ou=system,dc=foo]/memberUid &
user/uid" write
by set="[cn=acl-r-people,ou=group,ou=system,dc=foo]/memberUid &
user/uid" read
by self write
by users read
by * none
access to dn.subtree="ou=Organizations,dc=foo"
by dn.one="ou=repl,ou=system,dc=foo" search
by set="[cn=acl-w-organizations,ou=group,ou=system,dc=foo]/memberUid &
user/uid" write
by set="[cn=acl-r-organizations,ou=group,ou=system,dc=foo]/memberUid &
user/uid" read
by users read
by * none
access to dn.subtree="ou=Inventory,dc=foo"
by dn.one="ou=repl,ou=system,dc=foo" search
by set="[cn=acl-w-inventory,ou=group,ou=system,dc=foo]/memberUid &
user/uid" write
by set="[cn=acl-r-inventory,ou=group,ou=system,dc=foo]/memberUid &
user/uid" read
by users read
by * none
access to dn.subtree="ou=group,dc=foo"
by dn.one="ou=repl,ou=system,dc=foo" search
by set="[cn=acl-w-group,ou=group,ou=system,dc=foo]/memberUid &
user/uid" write
by set="[cn=acl-r-group,ou=group,ou=system,dc=foo]/memberUid &
user/uid" read
by users read
by * none
# for `users' we set `search' because `read' allows to read all, but
# we tried to narrow what replica can get, otherwise removing it makes
# it impossible to get anything (perhaps it blocks some objects needed)
access to *
by dn.exact="uid=SPECIAL-USER,ou=People,dc=foo" manage
by set="[cn=admin,ou=group,ou=system,dc=foo]/memberUid & user/uid"
manage
by peername.ip=127.0.0.1 read
by dn.one="ou=repl,ou=system,dc=foo" search
by set="[cn=bind,ou=group,ou=system,dc=foo]/memberUid & user/uid"
read
by self read
by users read
by * none
...
---[ slapd.conf quotation end ]-------------------------------------------
In the simple case where 'by * none' would have the same
effect, you could
just put another ACI ahead of the one above so it comes out like this:
...
The problem is to write the '<expression matching the admin user DNs>'.
is there way to know whether DN is a child of the admin's one,
except to look at the end of it, whether it ends with
"uid=ADMIN-USER-TO-PROCESS,ou=People,dc=foo" ?
That would probably be easier if you were not defining admin users by
their
UID in a Posix group. Ideally there would be an attribute visible in each
entry that defines admin status, as then you could just key on that.
it implies to use the attribute for each child object of the admin object
like:
---[ LDIF 2 quotation start ]-------------------------------------------
dn: uid=adminuser,ou=People,dc=foo
belongsToAdmin: yes
...
objectClass: person
## branch for email service of talax.startrek.in domain object
dn: authorizedService=mail(a)talax.startrek.in,uid=adminuser,ou=People,dc=foo
belongsToAdmin: yes
...
objectClass: person
## email service of talax.startrek.in domain object
dn:
uid=neelix@talax.startrek.in,authorizedService=mail@talax.startrek.in,uid=adminuser,ou=People,dc=foo
belongsToAdmin: yes
...
objectClass: person
## branch for email service of rinax.startrek.in domain object
dn: authorizedService=mail(a)rinax.startrek.in,uid=adminuser,ou=People,dc=foo
belongsToAdmin: yes
...
objectClass: person
## email service of rinax.startrek.in domain object
dn:
uid=alixia@rinax.startrek.in,authorizedService=mail@rinax.startrek.in,uid=adminuser,ou=People,dc=foo
belongsToAdmin: yes
...
objectClass: person
---[ LDIF 2 quotation end ]-------------------------------------------
correct?
If your admin group is defined as a standard DN-based groupOfNames
then
you could use the memberof overlay to reflect membership into an attribute
of the user entry.
it implies to provide all admin's children dn-s as member for such a group
like
---[ LDIF 3 quotation start ]-------------------------------------------
dn: cn=admin,ou=group,ou=system,dc=foo
cn: admin
member: uid=adminuser,ou=People,dc=foo
member: authorizedService=mail(a)talax.startrek.in,uid=adminuser,ou=People,dc=foo
member:
uid=neelix@talax.startrek.in,authorizedService=mail@talax.startrek.in,uid=adminuser,ou=People,dc=foo
member: authorizedService=mail(a)rinax.startrek.in,uid=adminuser,ou=People,dc=foo
member:
uid=alixia@rinax.startrek.in,authorizedService=mail@rinax.startrek.in,uid=adminuser,ou=People,dc=foo
objectClass: groupOfNames
---[ LDIF 3 quotation end ]-------------------------------------------
correct?
--
Zeus V. Panchenko jid:zeus@im.ibs.dn.ua
IT Dpt., I.B.S. LLC GMT+2 (EET)
2066
days inactive
2386
days old
openldap-technical@openldap.org
2 comments
2 participants
participants (2)
-
Andrew Findlay -
Zeus Panchenko