[Date Prev][Date Next] [Chronological] [Thread] [Top]

SOLVED: Format of ACL (feature request)



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Dear list,

After filing an ITS and appropriate answers from Kurt, I now know how to deal 
with ACL's and comments in slapd.conf.

Following is just for the record:

In slapd.conf, and hence in the files that contain ACL's and that are included 
in slapd.conf, lines that don't fit on one line are continued on the 
following line, when and only when there is a whitespace at the start of the 
continuation line.

Example:

access to * by *

Can also be written as:

access to *
	by *

In many examples in the documentation, ACL's are shown in the latter form, 
which lead me to think it was actually seperate lines, while in reality it is 
one long line broken up into smaller lines.

In slapd.conf(5), it is noted that empty lines are ignored, as well as lines 
that start with a #. The latter are called 'comments'.

The following example will NOT work:

access to *
# comment
	by *

Although 'lines that start with # will be ignored', this ignoring happens only 
after continuation lines are joined.

In this example, the 'access to *' line is NOT continued, because the next 
line DOES NOT start with a whitespace.

Actually, according to Kurt who changed this in documentation, the 'by *' line 
becomes part of the comment !

The previous example should be read as:
access to *
# comment by *

Since 'access to *' is not a complete statement, slapd gives an error.


Many greetings,

Ace



> Hi,
>
> Just a loose thought or two
>
> It seems the format of ther ACL's is rather restrictive. As far as I
> noticed, the follwing stuff happens:
>
>
> EXAMPLE 1:
>
> access to *
> by * none
>
> ERROR 1:
> /etc/ldap/qwidoACL/qwido.acl.global: line 300: warning: no by clause(s)
> specified in access line
> /etc/ldap/qwidoACL/qwido.acl.global: line 301: unknown directive "by"
> outside backend info and database definitions (ignored)
>
> EXAMPLE 2
> access to *
> # comment
> [tab]by * none
>
> ERROR 2:
> /etc/ldap/qwidoACL/qwido.acl.global: line 300: warning: no by clause(s)
> specified in access lines
>
> EXAMPLE 3
> [tab]access to *
> [tab][tab]by * none
>
> ERROR 3:
> No error message, but the entire ACL is ignored.
>
> These examples show that it becomes really difficult to indent the ACL's in
> such a way that they are better readable, or insert comments between ACL's
> for clarity.
>
> Could these restrictions be loosened, so that at least comment lines are
> just ignored (and not translated to 'empty' lines), and that identation
> might be less of a problem ?
>
> Another feature that could make ACL's more simple to maintain, would be the
> define of some constants at the top of the ACL file. It would be really
> handy to, for example, specify:
>
> PEOPLETREE: ou=people,dc=example,dc=com
> ADMIN: cn=admin,$PEOPLETREE$
>
> at the top of the file and later use it like this:
>
> access to $PEOPLETREE$
> 	by $MANAGER$ write
> 	by users read
> 	by anonymous auth
> 	by * none
>
> What do you think ?
>
> _Ace

- -- 
Ace Suares' Internet Consultancy
NIEUW ADRES: Postbus 2599, 4800 CN Breda
telefoon: 06-244 33 608
fax en voicemail: 0848-707 705
website: http://www.suares.nl * http://www.qwikzite.nl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)

iD8DBQE/nan0y7boE8xtIjURAnBHAJ9GMkNePbf7FWwSGzx1FnCLQfabUgCgmPVq
QUvBrVtgLRQ4/wffrs52o9o=
=/JFe
-----END PGP SIGNATURE-----