[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Question on access



Harry Rüter wrote:
> 
> Hi,
> 
> i'm a little confused, if i really understood the
> "access-rights-concept" .

Although some of the most fancy features are currently implemented 
in HEAD/beta only, you may take a look at the slapd.access(5) man page
that comes with 2.1 beta.  There you can find a detailed answer 
to most of your questions.

> 
> So here are my questions :
> 
> The slapd-deamon looks through all access-statements until
> it finds a rule which matches.
> 
> So if an access to dn=xyz is wanted and it's not specially
> defined by an access-rule there must be an access-statement
> at the end of the acces-list, which will match everything ?

In principle, yes.  Note that if no explicit default rule is present,
slapd uses implicit rules: look at "defaultAccess" directive

> 
> Example (without the by-statements):
> 
> -----------------------------------
> access to dn=xyz ... wanted
> 
> access to
> dn=".*,ou=Roaming,ou=accounts,ou=mynetwork,o=myorganization,dc=hrnet,dc=de"
> 
> access to attr=loginShell
> 
> access to *
> -----------------------------------------------------------
> 
> Only the last rule will match, correct ?
> 
> This is a strong rule,
> if an access-staement matches, the other, following,
> statements
> will be ignored ?

Yes; however you can change this behavior with continuation statements
at the end of a by clause: break, stop and continue.

> 
> --------------------------------------
> 
> The same procedure in an access-statement ?
> 
> The slapd-deamon looks through all by-statements until
> it finds a rule which matches ?
> 
> Example:
> 
> dn="nsLIProfilename=harry,ou=Roaming,ou=accounts,ou=mynetwork,o=myorganization,dc=hrnet,dc=de"
> wants to read/write its roaming-profile :
> 
> Here's the roaming-profile for harry :
> ----------------------------------------------------------------------------------------
> owner   uid=harry,ou=users, ou=accounts, ou=mynetwork,
> o=myorganization, dc=hrnet,dc=de
> nsLIProfileName harry
> objectClass     top
> objectClass     nsLIProfile
> -----------------------------------------------------------------------------------------
> Here's the user harry (without the "secret" things :o) ):
> 
> -----------------------------------------------------------------------------------------
> logonTime       0
> displayName     harry
> objectClass     krb5Principal
> objectClass     sambaAccount
> objectClass     posixAccount
> lmPassword      xxxxxxxxxxxxxxxxxxxx
> primaryGroupID  513
> acctFlags       [U          ]
> userPassword    xxxxxxxxxxxxxxxxxxxxxxx
> uid     harry
> uidNumber       1234
> cn      harry
> logoffTime      2147483647
> gidNumber       100
> kickoffTime     2147483647
> pwdLastSet      1018479633
> krb5PrincipalName xxxxxxxxxxxxxxx
> rid     545
> homeDirectory   /home/harry
> pwdCanChange    0
> pwdMustChange   2147483647
> ntPassword      xxxxxxxxxxxxxxxxxxxxxxxxxxxx
> 
> -----------------------------------------------------------------------------------------
> 
> Here ist the access-rule which belongs to the roaming
> profiles :
> 
> ------------------------------------------------------------------
> access to
> dn=".*,ou=Roaming,ou=accounts,ou=mynetwork,o=myorganization,dc=hrnet,dc=de"
>   by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de"
> write
>   by dn="uid=ldapAdmin.+\+realm=HRNET.DE" write
>   by dnattr=owner write
>   by * none
> --------------------------------------------------------------------------------
> 
> Will harry get write-access to it's profile ?
> 
> Generally there's the following rule, when editing
> the access-statements :
> 
> First everything specialized, then the more general things
> (with * in it),
> right ?
> 
> Last question:
> 
> How do i read those by-statements :
> 
>  by dn="uid=ldapAdmin.+\+realm=HRNET.DE" write

not sure about that, looks like a SASL related DN format.
Maybe someone else can better answer this.

> 
> What's the matching rule for this ?
> What's going on with the "." ?

The '.' means any char in regex(7) style; actually a regexec(3)
match (the default) will be performed.

> 
> Couldn't i write
> 
>  by dn="uid=ldapAdmin@HRNET.DE" write

If your admin DN were "uid=ldapAdmin@HRNET.DE", then
you could use 

	by dn="uid=ldapAdmin@HRNET\.DE" write

because you need to escape '.' when compiling the regex(7);
however this is inefficient; better use

	by dn.exact="uid=ldapAdmin@HRNET.DE" write

Pierangelo.


-- 
Dr. Pierangelo Masarati               | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale                | fax:   +39 02 2399 8334
Politecnico di Milano                 |
mailto:pierangelo.masarati@polimi.it
via La Masa 34, 20156 Milano, Italy   |
http://www.aero.polimi.it/~masarati