[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL for only creating entry

To: openldap-software@OpenLDAP.org
Subject: Re: ACL for only creating entry
From: Ace Suares <ace@suares.nl>
Date: Mon, 15 Dec 2003 08:32:02 -0400
Content-description: clearsigned data
Content-disposition: inline
In-reply-to: <2048.209.16.240.20.1071481632.squirrel@mail.theoretic.com>
Organization: Ace Suares' Internet Consultancy
References: <2048.209.16.240.20.1071481632.squirrel@mail.theoretic.com>
User-agent: KMail/1.5.1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,

In the example I sent you - my own configuraion with all the qwido's in it - 
it SEEMS to work. I can add an entry with GQ and then GQ doesn't let me read 
the entry. That's what you want, isn't it ?

Also, these ACL's are only part of the total ACL's. I'd like you to give me an 
example ldif file and the full ACL file, but as simple as possible. 

In my understanding the following can be explained:

> # Make the user entry writable for WebRegister
> # make the user entry readable for users
> access to dn.regex="uid=(.+),ou=users,dc=theoretic,dc=com" attrs=entry
>   by dn.regex="uid=$1,ou=users,dc=theoretic,dc=com" read
>   by dn.base="uid=webregister,ou=services,dc=theoretic,dc=com" write
>   by * none

webregister also needs some permissions above 'uid='... but these shouldn't 
have to be WRITE permissions. Did you try with read ? Are you using GQ ? Can 
you browse the tree ? Can you search the tree ?
>
> # Forbid access to the other attributes of individual user entries by
> # WebRegister
> access to dn.regex="uid=(.+),ou=users,dc=theoretic,dc=com"
>   by dn.regex="uid=$1,ou=users,dc=theoretic,dc=com" read
>   by * none

This rule forbids that webregister reads existing entries. However, a not 
existing entry can stil be made because of the previous rule ! That's the 
trick, that's how I think it works.

>
> # Grant access to WebRegister to create new users,
> #  even if it can't see them (above ACL)
> access to dn.base="ou=users,dc=example,dc=com" attrs=children
>   by dn.base="uid=webregister,ou=services,dc=theoretic,dc=com" write
>   by * none

But to be able to create the uid entries, webregister needs to be able to make 
children to 'ou=users'. That's why this rule is here...

>
> But it only works as intended if I add the following 4th rule at the end,
> giving webregister write access to the grandparent node of the individual
> users (the parent of the node where users are created).
>
> ## Default to read access.
> access to dn=".*,dc=theoretic,dc=com"
>  by dn="uid=webregister,ou=services,dc=theoretic,dc=com" write
>  by self write
> # by * auth
> # by * search
>

I think if webregister can make children to ou=users, it's all it needs. It 
also may need read access to ou=users, to be able to reach 'that far' in the 
tree. The 'fourth' rule shouldn't be needed....


I urge you to try and make an ACL similar to the one I sent you in the earlier 
message. Use the exact ACL or 'translate' it to your situation as close as 
possible. As I said, I wouldn't be surprised if someone who *really* 
understands ACL's would tell us that's not possible at all, and the reason 
why. 

Still....


Ace

website: http://www.suares.nl * http://www.qwikzite.nl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)

iD8DBQE/3anCy7boE8xtIjURAmQFAJwLD8Je5BYh+BNHruTIIEwCEG/NyACggmU1
i481u+D2TyPkbaA9pjcRn0w=
=gHS2
-----END PGP SIGNATURE-----

References:
- ACL for only creating entry
  - From: <adamtheo@theoretic.com>

Prev by Date: Re: ACL for only creating entry
Next by Date: encoding format for comments/notes/info attributes
Index(es):
- Chronological
- Thread