[Date Prev][Date Next] [Chronological] [Thread] [Top]

Attribute scope of attr=entry in an ACL



Hello all,

I have OpenLDAP 2.1.16.

Like many, I have a question about ACLs. Does the "attr=entry" include
all of the attributes in the entry itself? It would seem not. I have
ACLs that read thus:

(above is an ACL that limits access to attr=userPassowrd)
access to dn="cn=([^,]+),ou=([^,]+),ou=([^,]+),o=people,o=company"
attr=children
        by self write
        by dn="cn=$1,ou=$2,ou=$3,o=people,o=company" write
        by group="cn=Admin,o=company" write
        by group="cn=Admin,o=people,o=company" write
        by group="cn=Admin,ou=$3,o=people,o=company" write
        by group="cn=Admin,ou=$2,ou=$3,o=people,o=company" write
access to dn="cn=([^,]+),ou=([^,]+),ou=([^,]+),o=people,o=company"
attr=entry
        by self write
        by group="cn=Admin,o=company" write
        by group="cn=Admin,o=people,o=company" write
        by group="cn=Admin,ou=$3,o=people,o=company" write
        by group="cn=Admin,ou=$2,ou=$3,o=people,o=company" write
        by users read
        by * auth
.....

No anonymous access (except auth or compare on userPassword) is
allowed. Everyone authenticates with their DN
(cn=Person*,ou=region*,ou=org*,o=people,o=company). Everyone needs read
only access to the address books above their entry and write access to
their address book entries below their entry. Users should have read
access to the cn=Person*,ou=region*,ou=org*,o=people,o=company entries
and above, but not to anything below that point. Administration is done
via the groupOfNames objectClass (each level of company, people, org*
and region* has an administration group).

I do an ldapsearch on '(objectclass=*)' with a base of
'o=people,o=company'. With "attr=entry" at the end of that second ACL,
and starting slapd with -d -1, I see that the ACL matches, but on the
attribute check, no joy. When I remove "attr=entry", the ACL matches and
all entries below are displayed.

Either way (with and without attr=entry), the user can not write
entries below the entry the user authenticated as.

My directory structure is thus:
o=company
 |--o=people
 |    |--ou=org1
 |    |    |--ou=region1
 |    |    |    |--cn=Person1
 |    |    |    |    |--cn=Personal Address Book Entry1
 |    |    |    |    |--cn=Personal Address Book Entry2
 |    |    |    |    |--...
 |    |    |    |
 |    |    |    |--cn=Person2
 |    |    |    |    |--cn=Personal Address Book Entry1
 |    |    |    |    |--cn=Personal Address Book Entry2
 |    |    |    |    |--...
 |    |    |    |
 |    |    |    |--...
 |    |    |    |
 |    |    |    |--cn=Address Book
 |    |    |    |    |--cn=Region1 Address Book Entry1
 |    |    |    |    |--cn=Region1 Address Book Entry2
 |    |    |    |    |--...
 |    |    |
 |    |    |--ou=region2
 |    |    |    |--...Sub-structure = region1
 |    |    |
 |    |    |--...Other regions with their sub-structure = region1.
 |    |    |
 |    |    |--cn=Address Book
 |    |    |    |--cn=Org1 Address Book Entry1
 |    |    |    |--cn=Org1 Address Book Entry2
 |    |    |    |--...
 |    |
 |    |--ou=org2
 |    |    |--Sub-structure pretty much the same as above.
 |    |
 |    |--...Other orgs with their sub-structure = org1
 |    |
 |    |--cn=Address Book
 |    |    |--cn=Company Address Book Entry1
 |    |    |--cn=Company Address Book Entry2
 |    |    |--...