[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: regex in group ACL

To: François Beretti <francois.beretti@enatel.com>
Subject: Re: regex in group ACL
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Thu, 7 Oct 2004 11:43:56 +0200 (CEST)
Cc: "OpenLDAP Mail List" <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <4164FF6F.9000501@enatel.com>
References: <41617BB4.9090106@enatel.com> <41618B94.8020106@sys-net.it> <41625492.2090408@enatel.com> <41628B51.70105@sys-net.it> <4163CE79.306@enatel.com> <4163E4A2.4030000@sys-net.it> <41641A50.7050809@enatel.com> <416465C1.6030408@sys-net.it> <4164FF6F.9000501@enatel.com>
User-agent: SquirrelMail/1.4.3a-1

Francois,

your mail was very useful to understand what's going on.  I think there
might be a solution with either 2.1 or 2.2, and recent improvements in
HEAD will make it even more efficient, provided it matches your
requirements.  There is still something I need to understand from your
mail; see below.

> # Entry 3:
> dn:cn=exampleSSOStorageV2,uid=denis,ou=Users,dc=example,dc=local
versionNumber: 2
> cn: exampleSSOStorageV2
> objectClass: exampleSSOStorage

1.a) Is there a __finite__ set of account RDNs?  I mean,
"exampleSSOStorageV2", "accountX" and so, but a limited, well defined
number of types, which are known at configure time, so they can be
enumerated in ACLs?
1.b) Or do they change and grow at run-time?
1.c) Furthermore, do users have children that are not accounts?
1.d) Or do accounts have children that are not delegations?

>
> As you can see, the accounts objects are stored as exampleSSOAccount
objectClass entries, under an object of class exampleSSOStorage. The
delegation objects are of class exampleSSOAccountDelegation


>
>> 4) Is the delegation's DN the identity you want to give access rights
for the user's entry?
>
> Probably due to the fact that English is not my natural language, I
don't understand you.

.. or I need to reword my question :)

> But I think my LDIF export will be a good explanation.
>
> In this case, the access right rule would be :
>
> access to
> dn="cn=W02222226CAPP36UMM4SA4JUG6JURRUVWZ2222222222222222,cn=exampleSSOStorageV2,uid=denis,ou=Users,dc=example,dc=local"
>     by dn="uid=francois,ou=Tests FB,dc=example,dc=local" read
>
> Indeed, I want a more generic rule :) and since "uid=francois,ou=Tests
FB,dc=example,dc=local" is stored in the exampleSSOAccountDelegation
object through its exampleUserEntityObject attribute :
>
> access to
> dn="cn=W02222226CAPP36UMM4SA4JUG6JURRUVWZ2222222222222222,cn=exampleSSOStorageV2,uid=denis,ou=Users,dc=example,dc=local"
>     by
> group="cn=dc0d0c04-a7f4-1028-9b7a-c1ad53990353,cn=W02222226CAPP36UMM4SA4JUG6JURRUVWZ2222222222222222,cn=exampleSSOStorageV2,uid=denis,ou=Users,dc=example,dc=local"
read
>
> (Where 'group' has to be replaced with
> 'group/exampleSSOAccountDelegation/exampleUserEntityObject')
>
> But here it only works for one account of one user, so the very generic
rule would be :
>
> access to filter="(objectClass=exampleSSOAccount)" dn.regex="(.*)"
>     by group.regex="(.*),$1" read
>
> But this doesn't work (see my previous posts)
>
> Important precision : *One delegation object is created of each user
which the account is delegated to*. So there can be several
> exampleSSOAccountDelegation objects under one exampleSSOAccount object.
And there is only one value of exampleUserEntityObject in a
> exampleSSOAccountDelegation  entry.
>
> So maybe I could find a way with dnattr... but I don't find one


Initially, I thought your intention was to give __delegation__ access to
the ___user__ entry, so in a rule

access to <what>
  by <who> <rights>

the <what> is __user__ and the <who> is __delegation__

In this case you can do

access to dn.regex="^uid=([^,]+),ou=Tests FB,dc=example,dc=local$"
        by
dn.regex="^cn=[^,]+,cn=[^,],uid=$1,ou=Users,dc=example,dc=local$"
<access>

The DN in the <who> clause, as opposed to groups, __IS__ evaluated as a
regex.

But now I seem to realize that you want to do the opposite, i.e. give
__user__ access to the __delegation__ entry, so in a rule

access to <what>
  by <who> <rights>

the <what> is __delegation__ and the <who> is __user__

In this case you can do (2.2)

access to dn.regex="^cn=[^,]+,cn=[^,],uid=([^,]+),ou=Tests
FB,dc=example,dc=local$"
        by dn.exact,expand="uid=$1,ou=Users,dc=example,dc=local" <access>

or (2.1)

access to dn.regex="^cn=[^,]+,cn=[^,],uid=([^,]+),ou=Tests
FB,dc=example,dc=local$"
        by dn.regex="^uid=$1,ou=Users,dc=example,dc=local$" <access>

Of course these rules do not have granularity on the account or on the
delegation (everything whose RDN has "cn" as naming attribute is fine) but
I assume that's what you want.  In the latter case you can narrow the
selection by adding a filter on the objectClass of the delegation.

Hope it helps.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it





    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

Follow-Ups:
- Re: regex in group ACL
  - From: François Beretti <francois.beretti@enatel.com>

References:
- regex in group ACL
  - From: François Beretti <francois.beretti@enatel.com>
- Re: regex in group ACL
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: regex in group ACL
  - From: François Beretti <francois.beretti@enatel.com>
- Re: regex in group ACL
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: regex in group ACL
  - From: François Beretti <francois.beretti@enatel.com>
- Re: regex in group ACL
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: regex in group ACL
  - From: François Beretti <francois.beretti@enatel.com>
- Re: regex in group ACL
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: regex in group ACL
  - From: François Beretti <francois.beretti@enatel.com>

Prev by Date: Re: Slurpd replication with sasl gssapi
Next by Date: Re: regex in group ACL
Index(es):
- Chronological
- Thread