Re: ACL optimization

["Pierangelo Masarati" <ando@sys-net.it>]

If you could simplify your rules by using the value of "host" as the  "cn"
of the identity that's allowed write access to that host, e.g.

<snip>
access to dn.children="ou=people,ou=accounts,dc=domain"
                filter=(&(host=server1)(fpstatus=active))
attrs=uidNumber,objectclass,uid,gidNumber,homeDirectory,host,@fadesaPerson,@inetlocalmailrecipient,@krb5principal,krb5KDCFlags
        by dn.exact="cn=server1,ou=acl,dc=domain" ssf=128 read
        by * none break

access to dn.children="ou=people,ou=accounts,dc=domain"
                filter=(&(host=server1)(fpstatus=active))
        by dn.exact="cn=server1,ou=acl,dc=domain" ssf=128 write
        by * none break
</snip>

and if you use OpenLDAP 2.3, you could use these two rules instead of yours:

access to dn.children="ou=people,ou=accounts,dc=domain"
                filter="(fpstatus=active)"
attrs=uidNumber,objectclass,uid,gidNumber,homeDirectory,host,@fadesaPerson,@inetlocalmailrecipient,@krb5principal,krb5KDCFlags
        by set="user & ([cn=]+this/host+[,ou=acl,dc=domain])" ssf=128 read
        by * none break

access to dn.children="ou=people,ou=accounts,dc=domain"
                filter="(fpstatus=active)"
        by set="user & ([cn=]+this/host+[,ou=acl,dc=domain])" ssf=128 write
        by * none break

You need OpenLDAP 2.3 because in earlier versions no "+" operator was
available in sets.  Please note that the literal portions of the DN that
go into square brackets must be normalized, because DN comparison is done
with the normalized DN of the user, but no normalization occurs in sets.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497