[Date Prev][Date Next] [Chronological] [Thread] [Top]

Using forward references and filters in ACLs in OpenLDAP



Almost a year agon I asked on this list if it were possible to use filter clauses in the by part of the ACLs in OpenLDAP (a filter checked against the binded user). Pierangelo Masarati was kind enough to answer that is wasn't possible and that it probably was to costly an operation anyway.

Yesterday I was looking at the code implementing the group clause in the by part of the ACLs and it hit me that by switching two parameters (the dn of the group and the dn of the user) I would be able to use forward referencing ie. basing group membership on the value of an attribute of an entry instead of listing the dn of an entry as a value of an attribute of the group.

Expressed as ldap urls the current code checks if this evaluates to true (ie the filterpart would select the dn if used in a search) :

ldap:///<dn of group>??one?(&(objectclass=<group object class>)(<member attribute>=<dn of user>))

by getting the group entry and checking for objectclass and member attribute.

By switching the group and the user dn parameters (and dropping the objectclass check) this becomes:

ldap:///<dn of user>??one?(<member attribute>=<dn of group>)

A full dn for the group isn't needed so this becomes:

ldap:///<dn of user>??one?(<some attribute>=<some value>)

which doesn't seem more costly to evaluate than the original url above.

While working with this it hit me that if it were so easily expressed as a filter why not implement it as general filter checking instead of a specialized group checking.

So I have made a simplified bdb_group (based on 2.1.3) which basically take a dn and a filter. Using this I have made some changes in the acl part of the code to allow access clauses like:

access to filter=(invisible=true)
	by filter=(role=staff) read
	by filter=(role=student) none


and some changes in the limit code to allow limits clauses like:

limits  filter=(role=staff) size=500
limits  filter=(role=student) size=25

(both examples examplifies existing problems in our current implementation of LDAP at Roskilde University. The students are allowed to mark their entry invisible for the world and for other students, but not for staff members. I don't want to introduce static groups or branches in the tree to solve this. Likewise staff members are allowed to se more entries than the world or the students and enforcing this has to my knowledge only been possible using branches.)

I am sending this preliminary report to the list to se if there is some interest in adding this feature to OpenLDAP.

If so I would suggest that a back_filter function is added to the backend api and that the filter and the group ACLs might be implemented (at least in back-bdb) using this. The existing per connection GroupAssertion cache could then be replaced by a FilterAssertion cache - caching both group and filter use.


Regards Mads Freek

------------------------------------------------------
Mads Freek Petersen
Computer Science Department
Roskilde University
Building 42-1, P.O. Box 260, DK-4000 Roskilde, Denmark

Phone:  +45 4674 3882
Fax:    +45 4674 3072
E-mail: freek@ruc.dk