[Date Prev][Date Next] [Chronological] [Thread] [Top]

LDAP ACL controls inside LDAP

To: openldap-software@OpenLDAP.org
Subject: LDAP ACL controls inside LDAP
From: Chris Hamilton <chris@ambigc.com>
Date: Sun, 20 Jul 2003 09:36:01 +0800
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3) Gecko/20030331

Hi, I am trying to produce something along the lines of a 'shared contact list' as well as acls for general object permissions too. To accomplish this, I have produced some code to add arbitrary permission groups off of a main object. So a dn like

cn=contacts, cn=bob, dc=example...

would have write permissions for it and its children pecified in group
cn=write, cn=contacts, cn=bob, dc=example...

I would like to implement a static slapd.conf acl structure that will consistently work for object permissions like the above.

In write permission cases, protection would have to be implemented to stop people with write access from modifying the acl lists.

I think it would be something like this:

#Root or user modifying self
access to *
	by sockurl="^ldapi:///$" write
        by self write

#Administrative access
access to dn="(.*), (.*)" attrs=children
	by group="cn=admin, $2" write

#Write only access
#	these block write-only users from parent dn's from admin'ing
access to dn="cn=admin, (.*), (.*)"
	by group="cn=write, $2" read
access to dn="cn=write, (.*), (.*)"
	by group="cn=write, $2" read
access to dn="cn=read, (.*), (.*)"
	by group="cn=write, $2" read
#	these block same level write-only users from admin'ing
access to dn="cn=admin, (.*)"
	by group="cn=write, $1" read
access to dn="cn=write, (.*)"
	by group="cn=write, $1" read
access to dn="cn=read, (.*)"
	by group="cn=write, $1" read
#	now write permissions to non-perm access
access to dn="(.*), (.*)"
	by group="cn=write, $2" write

#Read only access
access to dn="(.*), (.*)"
	by group="cn=read, $2" read

#Authentication
access to * by anonymous auth

I am trying to get the above to check recursively for permissions through the tree (full target dn to root). Will the above acls do that? Also, is there a way to make acls check groups of names contained in groups of names? Should I be using attrs=children or dn.children to grant the permission on the children objects of the object (and not the object) instead of the regex? Is there a way to include 'anonymous' or 'user' in a group of names (ie. checking that 'anonymous' is a member of cn=read, .*)?

Or should I be doing something this complicated with aci(I plan to only use openldap)? I think I am totally clueless, so any insightful flames are welcome.


Thanks,
Chris Hamilton

Follow-Ups:
- Re: LDAP ACL controls inside LDAP
  - From: Chris Hamilton <chris@ambigc.com>

Prev by Date: error building openldap
Next by Date: Re: LDAP structure
Index(es):
- Chronological
- Thread