Re: Access Control - Variables

[Pierangelo Masarati <masarati@aero.polimi.it>]

Timo wrote:
> 
> Dear List!
> 
> Is it possible to use Variables in ACL rules?
> 
> I'm trying to implement an access-control structure for a
> hardware-management-database.
> Since it will be used for multiple customers, each customer should only
> "see" their hardware.
> 
> The customers will be in
> cn=XY, ou=people, o=customerorganisation, ou=customers, o=myorganisation
> 
> Their hardware will be in
> myobject=XYZ, o=customerorganisation, ou=customers, o=myorganisation
> 
> The people of my organisation (who will get write access to everything)
> will be in
> cn=xy, ou=peole, o=myorganisation
> 
> So my ACL has to look somehow like this:
> access to dn="myobject=XYZ, o=$1, ou=customers, o=myorganisation"
>         by dn="cn=*,ou=peole, o=myorganisation" write
>         by dn="cn=XY, ou=people, o=$1, ou=customers, o=myorganisation"
> write
> 
> Somewhere I've seen ACL-descriptions like these:
> access to dn="(.*)?, o=$1, ou=customers, o=myorganisation"
>         by dn="(.*)?, ou=peole, o=myorganisation" write
>         by dn="(.*)?, ou=people, o=$1, ou=customers, o=myorganisation"
> write
> 
> My Questions:
> A: Will both of the above ACLS work, and, if, where is the difference?
> B: Will the Variable "o=$1" work? If not, how can I get a similar result
> without hard-coding
>    every customer in the ACL?

You can use regex pattern substitution in the form:

access to dn=".*ou=([^,]+),o=myorganization"
	by dn="cn=admin,ou=$1,o=myorganization" write
	by * read

so, if you call "cn=admin,ou=customer X,o=myorganization"
the administrator of "customer X", then it can access
all data below "ou=customer X,o=myorganization"

Pierangelo.


-- 
Dr. Pierangelo Masarati               | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale                | fax:   +39 02 2399 8334
Politecnico di Milano                 | mailto:masarati@aero.polimi.it
via La Masa 34, 20156 Milano, Italy   |
http://www.aero.polimi.it/~masarati