Re: Tricky ACL

[Pierangelo Masarati <ando@sys-net.it>]

Kasundra, Digant wrote:


> I'm trying to figure out how to do a particularly tricky ACL.  
> Basically, I have a People branch and an Account branch.  The people 
> branch has an attribute per entry called accountName which is the UID 
> of their account in the account branch (the uid forms the dn of the 
> account branch but the accountName attribute is just the uid, not the 
> full dn).  People bind to the directory using their account entry, not 
> their person entry.  I want to create an ACL such that a person bound 
> to an account can read attributes associated with their person 
> account.  I tried the following but slapd complained:
>
> access to dn.subtree="cn=people,dc=uta,dc=edu"
> attrs="entry,someAttribute,accountName val=$1"
> by dn.regex="uid=(.*),cn=accounts,dc=uta,dc=edu" 
> peername.regex="129.107.*" read
>
> When I did this, it would complain of unknown attribute "accountName 
> val=$1".
>
> Is what I am trying to do even possible?
You don't say what version you're using; this may impact the 
availability of certain ACLs.  For HEAD code, which should be relatively 
similar to 2.2.17 in this field, the slapd.access(5) man page documents 
the "val" option for attributeType qualification; it says
   attrs=<attr> val[.<style>]=<attrval>
which means that only one attribute type must be present ("<attr>"); it 
doesn't mention submatch (from DN?) expansion, and I'm pretty sure the 
code doesn't do that.  What you want to do can be obtained by using

access to dn.subtree="cn=people,dc=uta,dc=edu"
   by set.exact="this/accountName & user/uid" read

Of course you may need more rules to make sure that "user" actually is 
an account.

p.





   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497