[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Question on access
Harry Rüter wrote:
>
> Hi,
>
> i'm a little confused, if i really understood the
> "access-rights-concept" .
Although some of the most fancy features are currently implemented
in HEAD/beta only, you may take a look at the slapd.access(5) man page
that comes with 2.1 beta. There you can find a detailed answer
to most of your questions.
>
> So here are my questions :
>
> The slapd-deamon looks through all access-statements until
> it finds a rule which matches.
>
> So if an access to dn=xyz is wanted and it's not specially
> defined by an access-rule there must be an access-statement
> at the end of the acces-list, which will match everything ?
In principle, yes. Note that if no explicit default rule is present,
slapd uses implicit rules: look at "defaultAccess" directive
>
> Example (without the by-statements):
>
> -----------------------------------
> access to dn=xyz ... wanted
>
> access to
> dn=".*,ou=Roaming,ou=accounts,ou=mynetwork,o=myorganization,dc=hrnet,dc=de"
>
> access to attr=loginShell
>
> access to *
> -----------------------------------------------------------
>
> Only the last rule will match, correct ?
>
> This is a strong rule,
> if an access-staement matches, the other, following,
> statements
> will be ignored ?
Yes; however you can change this behavior with continuation statements
at the end of a by clause: break, stop and continue.
>
> --------------------------------------
>
> The same procedure in an access-statement ?
>
> The slapd-deamon looks through all by-statements until
> it finds a rule which matches ?
>
> Example:
>
> dn="nsLIProfilename=harry,ou=Roaming,ou=accounts,ou=mynetwork,o=myorganization,dc=hrnet,dc=de"
> wants to read/write its roaming-profile :
>
> Here's the roaming-profile for harry :
> ----------------------------------------------------------------------------------------
> owner uid=harry,ou=users, ou=accounts, ou=mynetwork,
> o=myorganization, dc=hrnet,dc=de
> nsLIProfileName harry
> objectClass top
> objectClass nsLIProfile
> -----------------------------------------------------------------------------------------
> Here's the user harry (without the "secret" things :o) ):
>
> -----------------------------------------------------------------------------------------
> logonTime 0
> displayName harry
> objectClass krb5Principal
> objectClass sambaAccount
> objectClass posixAccount
> lmPassword xxxxxxxxxxxxxxxxxxxx
> primaryGroupID 513
> acctFlags [U ]
> userPassword xxxxxxxxxxxxxxxxxxxxxxx
> uid harry
> uidNumber 1234
> cn harry
> logoffTime 2147483647
> gidNumber 100
> kickoffTime 2147483647
> pwdLastSet 1018479633
> krb5PrincipalName xxxxxxxxxxxxxxx
> rid 545
> homeDirectory /home/harry
> pwdCanChange 0
> pwdMustChange 2147483647
> ntPassword xxxxxxxxxxxxxxxxxxxxxxxxxxxx
>
> -----------------------------------------------------------------------------------------
>
> Here ist the access-rule which belongs to the roaming
> profiles :
>
> ------------------------------------------------------------------
> access to
> dn=".*,ou=Roaming,ou=accounts,ou=mynetwork,o=myorganization,dc=hrnet,dc=de"
> by dn="uid=admin,ou=ldap,o=myorganization,dc=hrnet,dc=de"
> write
> by dn="uid=ldapAdmin.+\+realm=HRNET.DE" write
> by dnattr=owner write
> by * none
> --------------------------------------------------------------------------------
>
> Will harry get write-access to it's profile ?
>
> Generally there's the following rule, when editing
> the access-statements :
>
> First everything specialized, then the more general things
> (with * in it),
> right ?
>
> Last question:
>
> How do i read those by-statements :
>
> by dn="uid=ldapAdmin.+\+realm=HRNET.DE" write
not sure about that, looks like a SASL related DN format.
Maybe someone else can better answer this.
>
> What's the matching rule for this ?
> What's going on with the "." ?
The '.' means any char in regex(7) style; actually a regexec(3)
match (the default) will be performed.
>
> Couldn't i write
>
> by dn="uid=ldapAdmin@HRNET.DE" write
If your admin DN were "uid=ldapAdmin@HRNET.DE", then
you could use
by dn="uid=ldapAdmin@HRNET\.DE" write
because you need to escape '.' when compiling the regex(7);
however this is inefficient; better use
by dn.exact="uid=ldapAdmin@HRNET.DE" write
Pierangelo.
--
Dr. Pierangelo Masarati | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale | fax: +39 02 2399 8334
Politecnico di Milano |
mailto:pierangelo.masarati@polimi.it
via La Masa 34, 20156 Milano, Italy |
http://www.aero.polimi.it/~masarati