[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Using forward references and filters in ACLs in OpenLDAP
This seems like a useful feature. I think you can impliment a similar
thing via the "set" directive. For example, you had
> access to filter=(invisible=true)
> by filter=(role=staff) read
> by filter=(role=student) none
Currently, with the "set" directive, you could do this:
access to filter=(invisible=true)
by set="user/role & [staff]" read
by set="user/role & [student]" none
You can find more information on the "set" directive at
http://www.openldap.org/faq/data/cache/452.html
Despite the "set" directive's weak documentation, it is a very powerful
construct. Since you can dereference attributes with the
"distinguishedName" syntax, you can easily create relationships between
different entries (such as "this/manager & user"). Here at APU, we have
used it to support groups within groups using something like
"cn=MetaGroup,dc=apu,dc=edu/member/member & user".
I think your proposal for a filter based "who" clause is more intuative
than the set directive and might serve as a good alternative.
- Christoph
On Tue, 16 Jul 2002, Mads Freek wrote:
> Almost a year agon I asked on this list if it were possible to
> use filter clauses in the by part of the ACLs in OpenLDAP (a
> filter checked against the binded user). Pierangelo Masarati was
> kind enough to answer that is wasn't possible and that it
> probably was to costly an operation anyway.
>
> Yesterday I was looking at the code implementing the group
> clause in the by part of the ACLs and it hit me that by
> switching two parameters (the dn of the group and the dn of the
> user) I would be able to use forward referencing ie. basing
> group membership on the value of an attribute of an entry
> instead of listing the dn of an entry as a value of an attribute
> of the group.
>
> Expressed as ldap urls the current code checks if this evaluates
> to true (ie the filterpart would select the dn if used in a
> search) :
>
> ldap:///<dn of group>??one?(&(objectclass=<group object
> class>)(<member attribute>=<dn of user>))
>
> by getting the group entry and checking for objectclass and
> member attribute.
>
> By switching the group and the user dn parameters (and dropping
> the objectclass check) this becomes:
>
> ldap:///<dn of user>??one?(<member attribute>=<dn of group>)
>
> A full dn for the group isn't needed so this becomes:
>
> ldap:///<dn of user>??one?(<some attribute>=<some value>)
>
> which doesn't seem more costly to evaluate than the original url above.
>
> While working with this it hit me that if it were so easily
> expressed as a filter why not implement it as general filter
> checking instead of a specialized group checking.
>
> So I have made a simplified bdb_group (based on 2.1.3) which
> basically take a dn and a filter. Using this I have made some
> changes in the acl part of the code to allow access clauses like:
>
> access to filter=(invisible=true)
> by filter=(role=staff) read
> by filter=(role=student) none
>
>
> and some changes in the limit code to allow limits clauses like:
>
> limits filter=(role=staff) size=500
> limits filter=(role=student) size=25
>
> (both examples examplifies existing problems in our current
> implementation of LDAP at Roskilde University. The students are
> allowed to mark their entry invisible for the world and for
> other students, but not for staff members. I don't want to
> introduce static groups or branches in the tree to solve this.
> Likewise staff members are allowed to se more entries than the
> world or the students and enforcing this has to my knowledge
> only been possible using branches.)
>
> I am sending this preliminary report to the list to se if there
> is some interest in adding this feature to OpenLDAP.
>
> If so I would suggest that a back_filter function is added to
> the backend api and that the filter and the group ACLs might be
> implemented (at least in back-bdb) using this. The existing per
> connection GroupAssertion cache could then be replaced by a
> FilterAssertion cache - caching both group and filter use.
>
>
> Regards Mads Freek
>
> ------------------------------------------------------
> Mads Freek Petersen
> Computer Science Department
> Roskilde University
> Building 42-1, P.O. Box 260, DK-4000 Roskilde, Denmark
>
> Phone: +45 4674 3882
> Fax: +45 4674 3072
> E-mail: freek@ruc.dk
>
>
>