[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: regex in group ACL

To: Pierangelo Masarati <ando@sys-net.it>
Subject: Re: regex in group ACL
From: François Beretti <francois.beretti@enatel.com>
Date: Thu, 07 Oct 2004 10:33:51 +0200
Cc: OpenLDAP Mail List <openldap-software@OpenLDAP.org>
In-reply-to: <416465C1.6030408@sys-net.it>
References: <41617BB4.9090106@enatel.com> <41618B94.8020106@sys-net.it> <41625492.2090408@enatel.com> <41628B51.70105@sys-net.it> <4163CE79.306@enatel.com> <4163E4A2.4030000@sys-net.it> <41641A50.7050809@enatel.com> <416465C1.6030408@sys-net.it>
User-agent: Mozilla Thunderbird 0.8 (Windows/20040913)

Hi Pierangelo,

Pierangelo Masarati wrote:

I think I'm missing a few details.
1) Can you show a "real" example (i.e. omit sensitive data, but present a full example of a user, an account and a delegation)?


Here it is :

---------------------------------------------------
version: 1

# Entry 1:
dn:uid=denis,ou=Users,dc=example,dc=local
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSAMAccount
cn: denis
sn: denis
uid: denis
uidNumber: 1007
gidNumber: 513
homeDirectory: /home/denis
loginShell: /bin/bash
gecos: System User
description: System User
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: System User
sambaSID: S-1-5-21-3579097732-1377074360-2699113850-3014
sambaPrimaryGroupSID: S-1-5-21-3579097732-1377074360-2699113850-513
sambaLogonScript: denis.cmd
sambaProfilePath: \\SAMBA-PDC\profiles\denis
sambaHomePath: \\SAMBA-PDC\homes\denis
sambaHomeDrive: H:
sambaLMPassword:
sambaAcctFlags: [U]
sambaNTPassword:
sambaPwdLastSet: 1095433824
sambaPwdMustChange: 1103987424
userPassword:

# Entry 3:
dn:cn=exampleSSOStorageV2,uid=denis,ou=Users,dc=example,dc=local
versionNumber: 2
cn: exampleSSOStorageV2
objectClass: exampleSSOStorage

# Entry 4: dn:cn=W02222226CAPP36UMM4SA4JUG6JURRUVWZ2222222222222222,cn=exampleSSOStorage V2,uid=denis,ou=Users,dc=example,dc=local cn: W02222226CAPP36UMM4SA4JUG6JURRUVWZ2222222222222222 objectClass: exampleSSOAccount exampleSSOAccountLoginIdentifier:: NzQ2Zjc0NmY= exampleSSOAccountPassword:: MDAwMDAwMDIwMDAxMDAwMzAwMDAwMDEwZmQwYTllODQyOWVmM jhkOTIwMmU0MjMxNTM0ZjgwNGI= exampleApplicationObject: cn=ec871f8b82f24dca81ff296f66dff816,ou=Applications ,dc=example,dc=local exampleAccountType: 0 exampleLastUpdateTime: 1096636884

# Entry 5:
dn:cn=dc0d0c04-a7f4-1028-9b7a-c1ad53990353,cn=W02222226CAPP36UMM4SA4JUG6JURR
UVWZ2222222222222222,cn=exampleSSOStorageV2,uid=denis,ou=Users,dc=example,dc=
local
exampleExpirationDate: 1097500951
exampleDelegationRightsData: 0
cn: dc0d0c04-a7f4-1028-9b7a-c1ad53990353
objectClass: exampleSSOAccountDelegation
exampleUserEntityObject: uid=francois,ou=Tests FB,dc=example,dc=local
------------------------------------------------------------------------

As you can see, the accounts objects are stored as exampleSSOAccount objectClass entries, under an object of class exampleSSOStorage. The delegation objects are of class exampleSSOAccountDelegation

2) For instance, can a user have more than one account?


Yes, he can

3) What does an account's RDN look like?

It is an ID generated by our software, which identifies it by encoding several information, in order to access the object without having to do a search request to retrieve its DN

4) Is the delegation's DN the identity you want to give access rights for the user's entry?

Probably due to the fact that English is not my natural language, I don't understand you. But I think my LDIF export will be a good explanation.

In this case, the access right rule would be :

access to dn="cn=W02222226CAPP36UMM4SA4JUG6JURRUVWZ2222222222222222,cn=exampleSSOStorageV2,uid=denis,ou=Users,dc=example,dc=local" by dn="uid=francois,ou=Tests FB,dc=example,dc=local" read

Indeed, I want a more generic rule :) and since "uid=francois,ou=Tests FB,dc=example,dc=local" is stored in the exampleSSOAccountDelegation object through its exampleUserEntityObject attribute :

access to dn="cn=W02222226CAPP36UMM4SA4JUG6JURRUVWZ2222222222222222,cn=exampleSSOStorageV2,uid=denis,ou=Users,dc=example,dc=local" by group="cn=dc0d0c04-a7f4-1028-9b7a-c1ad53990353,cn=W02222226CAPP36UMM4SA4JUG6JURRUVWZ2222222222222222,cn=exampleSSOStorageV2,uid=denis,ou=Users,dc=example,dc=local" read

(Where 'group' has to be replaced with 'group/exampleSSOAccountDelegation/exampleUserEntityObject')

But here it only works for one account of one user, so the very generic rule would be :

access to filter="(objectClass=exampleSSOAccount)" dn.regex="(.*)"
   by group.regex="(.*),$1" read

But this doesn't work (see my previous posts)

Important precision : *One delegation object is created of each user which the account is delegated to*. So there can be several exampleSSOAccountDelegation objects under one exampleSSOAccount object. And there is only one value of exampleUserEntityObject in a exampleSSOAccountDelegation entry.

So maybe I could find a way with dnattr... but I don't find one

Thank you for your help

François

p.

   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

Follow-Ups:
- Re: regex in group ACL
  - From: "Pierangelo Masarati" <ando@sys-net.it>

References:
- regex in group ACL
  - From: François Beretti <francois.beretti@enatel.com>
- Re: regex in group ACL
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: regex in group ACL
  - From: François Beretti <francois.beretti@enatel.com>
- Re: regex in group ACL
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: regex in group ACL
  - From: François Beretti <francois.beretti@enatel.com>
- Re: regex in group ACL
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: regex in group ACL
  - From: François Beretti <francois.beretti@enatel.com>
- Re: regex in group ACL
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: Re: ldap proxy/cache/replication, ala AD
Next by Date: Re: regex in group ACL
Index(es):
- Chronological
- Thread