[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: slapd.conf acl based on uniqueMember attribute



On Sat, 12 May 2001, Howard Chu wrote:

> We have an "owner" object, which contains an "account" attribute, which
> lists all of the accounts that are owned by the "owner." So, an ACL like:
>
>   access to *
>     by selfattr=account write
>
> says to check if the entry of the current logged-in user contains an
> "account" attribute, and the DN of the target object is listed there, then
> give write access to the target. Your indirection through an "owner"
> attribute is interesting, certainly even more flexible than what I
> implemented. At this point I can't think of a meaningful syntax to express
> that indirection.

This could be expressed using the (to my knowledge) undocumented "set" acl
clause.  From my understanding of the One True Doc (i.e the source), your
selfattr extention could have been written using sets as:

  access to *
    by set=(user->account&this) write

Meaning grant write access to anyone bound as a "user" whose entry has a
DN attr "account" whose value is the distinguished name of the target (i.e
"this").

Btw, the "dnattr=attrname" clause could also be expressed using sets:

  access to *
    by set=(user&this->attrname) write

Back to the original question:

> > >        "for all entries that have the groupOfNames objectclass
> > >        value, give the 'owner' of that entry, write access to
> > >        the entry named by the DN stored in the member attribute."

I agree with Kurt that this can't be expressed by OpenLDAP, but with a
slight modification it should be easy.

Assign roles to users by adding a DN attribute to the entry of the user
holding the role rather than by the owner attribute on the groupOfNames
entry representing the role.  Using sets, the following acl rule should
do what you want (assuming the role granting attr is "role"):

  access to *
    by set=(user->role->member&this) write

That is, write access is granted if the entry the user is bound as (the
"user" part) has a DN attr "role" specifying an entry with a DN attr
"member" that is the DN of the target (i.e "this").

The set clause allowes for some very powerful acl rules using DN
attributes, and as so should be used with extreme care (where extreme
can't be  emphasized enough).  In this case you better be sure that only
the indented persons are allowed to add/modify the "role" attribute and
the "member" attribute of entries specified by the "role" attributes.

--
Rein Tollevik				Email: rein@basefarm.no
Senior System Administrator		Phone: +47 22 95 81 96
Basefarm AS				Fax:   +47 22 95 82 10