[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Regular expression in ACLs

To: Matthijs Mohlmann <matthijs@cacholong.nl>
Subject: Re: Regular expression in ACLs
From: Pierangelo Masarati <ando@sys-net.it>
Date: Wed, 17 Nov 2004 20:44:29 +0100
Cc: openldap-software@OpenLDAP.org
References: <59747.80.202.194.244.1100690204.squirrel@webmail.nhl.nl>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

Matthijs Mohlmann wrote:

>Hi,
>
>I'm setting up my ACLs and i'm running in some problems.
>
>When i have this ACL:
>access to dn.regex="^.*,ou=([^,]+),ou=([^,]+),ou=users,dc=example,dc=net
>$"
>        by dn="cn=admin,dc=example,dc=net" write
>        by dn.regex="ou=$1, ou=$2, ou=users, dc=example,dc=net" write
>        by dn="cn=apache,ou=accounts,dc=example,dc=net" none break
>        by dn="cn=smtp,ou=accounts,dc=example,dc=net" none break
>        by * none
>
>Then the expression ou=([^,]+),ou=([^,]+) is nice substituted to: $1 and
>$2. For example:
>ou=test,ou=test1.test,ou=test2,ou=users,dc=example,dc=net
>$1: test1
>$2: test2
>When i then login with ou=test1.test,ou=test2,ou=users,dc=example,dc=net
>i've write access to
>ou=test,ou=test1.test,ou=test2,ou=users,dc=example,dc=net
>
>Well the next ACL won't work and i don't get it:
>access to dn.regex="^.*,dc=([^,]+),dc=([^,]+),ou=hosts,dc=example,dc=net
>$"
>        by dn="cn=admin,dc=example,dc=net" write
>        by dn.regex="ou=$1.$2, ou=$2, ou=users, dc=example,dc=net" write
>        by dn="cn=apache,ou=accounts,dc=example,dc=net" none break
>        by dn="cn=smtp,ou=accounts,dc=example,dc=net" none break
>        by * none
>But the following doesn't match this:
>dc=test,dc=test2,dc=test,ou=hosts,dc=example,dc=net
>In this example it should convert it to:
>$1: test2
>$2: test
>And the ou=$1.$2, ou=$2, ou=users, dc=example,dc=net becomes:
>ou=test2.test,ou=test,ou=users,dc=example,dc=net
>
>But on somehow this doesn't work. Can someone point me out what i do
>wrong ?
>
>


1) you don't specify what version of OpenLDAP's slapd you're using; this
in particularly important when addressing ACL issues because ACL
behavior changed by design between major and  minor versions, and may
change over bugfix versions because of bugfixes.
2) in your ACLs the "by" clauses look a bit loose, so it's not really
clear what you want to obtain; but again, some choices may find an
explanation if you happen to use an old version.
3) while the first case is clear (and I've been able to reproduce it
very easily), the second is not.  Let's restrict to what seems to be
your issue: you want the following rule

access to dn.regex="^.*,dc=([^,]+),dc=([^,]+),ou=hosts,dc=example,dc=net$"
        by dn.regex="ou=$1.$2, ou=$2, ou=users, dc=example,dc=net" write

to match "dc=test,dc=test2,dc=test,ou=hosts,dc=example,dc=net" when accessed by identity "ou=test2.test,ou=test,ou=users,dc=example,dc=net", right? Well, this works fine; for instance, if you use the slapacl tool from HEAD code, it results in:


slapacl -d 128 -f testrun/slapd.1.conf -D
ou=test2.test,ou=test,ou=users,dc=example,dc=net -b
'dc=test,dc=test2,dc=test,ou=hosts,dc=example,dc=net' entry
bdb_back_initialize: Sleepycat Software: Berkeley DB 4.2.52: (December
3, 2003)
bdb_back_initialize: Sleepycat Software: Berkeley DB 4.2.52: (December
3, 2003)
bdb_db_init: Initializing bdb database
Backend ACL: access to
dn.regex="^.*,dc=([^,]+),dc=([^,]+),ou=hosts,dc=example,dc=net$"
        by dn.regex="ou=$1.$2,ou=$2,ou=users,dc=example,dc=net"
write(=wrscx)

DN: "ou=test2.test,ou=test,ou=users,dc=example,dc=net"
=> access_allowed: auth access to
"dc=test,dc=test2,dc=test,ou=hosts,dc=example,dc=net" "entry" requested
=> dnpat: [1] ^.*,dc=([^,]+),dc=([^,]+),ou=hosts,dc=example,dc=net$ nsub: 2
=> acl_get: [1] matched
=> acl_get: [1] attr description
=> acl_mask: access to entry
"dc=test,dc=test2,dc=test,ou=hosts,dc=example,dc=net", attr "entry"
requested
=> acl_mask: to value by
"ou=test2.test,ou=test,ou=users,dc=example,dc=net", (=n)
<= check a_dn_pat: ou=$1.$2,ou=$2,ou=users,dc=example,dc=net
<= acl_mask: [1] applying write(=wrscx) (stop)
<= acl_mask: [1] mask: write(=wrscx)
=> access_allowed: auth access granted by write(=wrscx)
entry: write(=wrscx)

I just ran test003, then changed the suffix in "dc=example,dc=net" and
ran the test as indicated above; note that it works also with your
entire rule, not just the extracted portion under discussion.  Of
course, if you're using an earlier version, testing this can be a bit
harder and requires to run slapd and try a modification with debug level
set to 128.

p.


   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

References:
- Regular expression in ACLs
  - From: "Matthijs Mohlmann" <matthijs@cacholong.nl>

Prev by Date: Re: slapd-ldap 2.2.18
Next by Date: Re: v2.1.30 openldap - documentDN in rdbms backend
Index(es):
- Chronological
- Thread