В сообщении от Monday 21 April 2008 17:30:08 вы написали:
Note, you replied just to me - might have gotten a quicker reply from someone else if you replied to the list. Anyway...
uri_gr1@tut.by writes:
From: uri_gr1@tut.by
I have openldap-2.4.8 up and running. I have ou=People subtree with posixAccounts and I need to grant access to, let's say, ou=Clients,ou=AddressBook by all rdn's in ou=People, having gidNumber=10008.
I'm not quite sure what you mean with "by all rdn's". (...)
user uid=uri_gr1,ou=People,dc=tut,dc=by should have write access to ou=Clients,ou=AddressBook,dc=tut,dc=by subtree if the user entry contains attribute gidNumber: 10008
Still untested -
access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by by dn.onelevel=ou=People,dc=tut,dc=by set.exact="self/gidNumber & 10008" write and maybe by * read or whatever for everyone else
I tested ACLs below:
# ACL for clients addressbook access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by by dn.onelevel=ou=People,dc=tut,dc=by set.exact="self/gidNumber & 10003" write
access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by by dn.onelevel=ou=People,dc=tut,dc=by set.exact="self/gidNumber & 10007" write
access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by by dn.onelevel=ou=People,dc=tut,dc=by set.exact="self/gidNumber & 10008" write
access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by by dn.exact=cn=admin,ou=Groups,dc=tut,dc=by write
access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by by dn.exact=cn=manager,ou=Groups,dc=tut,dc=by write
access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by by dn.exact=cn=seller,ou=Groups,dc=tut,dc=by write
access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by by * none #
But it's not worked. Access to ou=Clients,ou=AddressBook,dc=tut,dc=by is restricted to all. Is it posible to write some acls like: ... by filter="(&(objectclass=posixAccount)(gidNumber=10008))" ...
As I know it accepted for "to ..." rules, but wthat about "by ..."? I tried it earlier, but maybe it failed beacuse of wrong syntax?
uri_gr1@tut.by writes:
I tested ACLs below: (...) But it's not worked. Access to ou=Clients,ou=AddressBook,dc=tut,dc=by is restricted to all.
Sorry, I forgot to quote the gidNumber values. Literal values in sets are quoted with [].
Also you asked for another access than you actually wanted. Read man slapd.access: Only the first "to" clause which matches what you want to access, is used. Your first "access" clause hid all the others, since they had the same "to". Similarly, in the chosen "to" clause, only the first "by" clause which matches who is accessing, is used.
There are keywords to avoid these rules ("break", "continue", "stop"), but you don't need them for this.
So, let me try again (still untested, hope I'm getting it right this time) -
access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by by dn.onelevel=ou=People,dc=tut,dc=by set.exact="self/gidNumber & ([10003] | [10007] | [10008])" write by dn.exact=cn=admin,ou=Groups,dc=tut,dc=by write by dn.exact=cn=manager,ou=Groups,dc=tut,dc=by write by dn.exact=cn=seller,ou=Groups,dc=tut,dc=by write by * none
BTW, do you really Bind as e.g. "cn=seller,ou=Groups,dc=tut,dc=by", or is that the name of a group like it looks like?
Is it posible to write some acls like: by filter="(&(objectclass=posixAccount)(gidNumber=10008))" ...
Not directly, but that's in practice what the "set" ACLs emulate: by set.exact="self/objectClass & [posixAccount]" set.exact="self/gidNumber & [10008]" (with multiple rules in a "to" and "by" clause there is an implicit "and" between them.)
Sets are still marked "experimental" though. And they are less efficient than rules that have logic better built in. They are described here in the FAQ: http://www.openldap.org/faq/data/cache/1133.html
В сообщении от Wednesday 23 April 2008 15:14:08 Hallvard B Furuseth написал(а):
uri_gr1@tut.by writes:
I tested ACLs below: (...) But it's not worked. Access to ou=Clients,ou=AddressBook,dc=tut,dc=by is restricted to all.
Sorry, I forgot to quote the gidNumber values. Literal values in sets are quoted with [].
Also you asked for another access than you actually wanted. Read man slapd.access: Only the first "to" clause which matches what you want to access, is used. Your first "access" clause hid all the others, since they had the same "to". Similarly, in the chosen "to" clause, only the first "by" clause which matches who is accessing, is used.
There are keywords to avoid these rules ("break", "continue", "stop"), but you don't need them for this.
So, let me try again (still untested, hope I'm getting it right this time) -
access to dn.subtree=ou=Clients,ou=AddressBook,dc=tut,dc=by by dn.onelevel=ou=People,dc=tut,dc=by set.exact="self/gidNumber & ([10003] | [10007] | [10008])" write by dn.exact=cn=admin,ou=Groups,dc=tut,dc=by write by dn.exact=cn=manager,ou=Groups,dc=tut,dc=by write by dn.exact=cn=seller,ou=Groups,dc=tut,dc=by write by * none
nope, it's also not works.
BTW, do you really Bind as e.g. "cn=seller,ou=Groups,dc=tut,dc=by", or is that the name of a group like it looks like?
I Bind as "cn=Test User,ou=People,dc=tut,dc=by". This has attribute gidNumber=10008. "cn=seller,ou=Groups,dc=tut,dc=by" - group with gidNumber=10008, but "cn=seller,ou=Groups,dc=tut,dc=by" hasn't "cn=Test User,ou=People,dc=tut,dc=by" on "member" attribute.
Is it posible to write some acls like: by filter="(&(objectclass=posixAccount)(gidNumber=10008))" ...
Not directly, but that's in practice what the "set" ACLs emulate: by set.exact="self/objectClass & [posixAccount]" set.exact="self/gidNumber & [10008]" (with multiple rules in a "to" and "by" clause there is an implicit "and" between them.)
Sets are still marked "experimental" though. And they are less efficient than rules that have logic better built in. They are described here in the FAQ: http://www.openldap.org/faq/data/cache/1133.html
openldap-technical@openldap.org
-
Hallvard B Furuseth -
uri_gr1@tut.by