[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL question...

To: krishna@EVERYONE.NET
Subject: Re: ACL question...
From: Pierangelo Masarati <ando@sys-net.it>
Date: Sat, 14 Jan 2006 18:22:13 +0100
Cc: openldap-software@OpenLDAP.org
In-reply-to: <6.2.1.2.0.20060114080057.02996528@mail.openldap.org>
References: <20060112223300.9DFEDFD0@mailweb37.mta.everyone.net> <6.2.1.2.0.20060114080057.02996528@mail.openldap.org>

On Sat, 2006-01-14 at 08:23 -0800, Kurt D. Zeilenga wrote:
> At 10:33 PM 1/12/2006, Krishna Sivaramapuram wrote:
> >I don't get it. Can you please explain a bit?

You may need further access control e.g. to allow users to bind and to
allow reading other stuff; here I focus on the essential part.

Basically:

# --- One-user version ---

# Allow owner to write entries
access to dn.eact="cn=ABook,uid=user,dc=example,dc=com"
                attrs=children
        by dn.exact="uid=user,dc=example,dc=com" write

# Allow owner to register authorized people
access to dn.exact="cn=ABook access,uid=user,dc=example,dc=com"
    by dn.exact="uid=user,dc=example,dc=com" write

# Allow owner to write and group members to read entries
access to dn.subtree="cn=ABook,uid=user,dc=example,dc=com"
        by dn.exact="uid=user,dc=example,dc=com" write
        by group="cn=ABook access,uid=user,dc=example,dc=com" read

# --- regex version ---

# Allow owner to write entries
access to dn.regex="^cn=ABook,uid=([^,]+),dc=example,dc=com$"
                attrs=children
        by dn.exact,expand="uid=$1,dc=example,dc=com" write

# Allow owner to register authorized people
access to dn.regex="^cn=ABook access,uid=([^,]+),dc=example,dc=com$"
        by dn.exact,expand="uid=$1,dc=example,dc=com" write

# Allow owner to write and group members to read entries
access to dn.regex="^(.+,)?cn=ABook,uid=([^,]+),dc=example,dc=com$"
        by dn.exact,expand="uid=$2,dc=example,dc=com" write
        by group.expand="cn=ABook access,uid=$2,dc=example,dc=com" read

> 
> I don't have time at the moment to explain it in detail.
> 
> >If I create a group under a user with a list of member DN's from the LDAP tree, how do I use that access group to give access to those DN's to use personal addressbooks of that user.
> 
> Start with one user, use "by group".
> Expand to multiple users through use of .regex/.expand.
> 
> >Also, let's say this user creates multiple named personal addressbooks and he wants to give different kind of permissions to different users. How can I do this with this scheme?
> 
> fancier regular expressions.
> 
> >Is there any good book that discusses these kind of strategies?

> Well, I suggest you start with the Admin Guide and FAQ.

The most complete doc is the slapd.access(5) man page; it's meant as a
reference guide, not a tutorial.  I suggest you follow Kurt's
suggestions and, in case you need details about specific directives,
look them up in slapd.access(5).

> Once you understand the basics, which these documents
> cover (and then some) reasonably well, you should be able
> to build additionally complex ACLs.  You might want to
> read up on regular expressions, the FAQ has some pointers.

p.




Ing. Pierangelo Masarati
Responsabile Open Solution
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------

References:
- Re: ACL question...
  - From: "Krishna Sivaramapuram" <krishna@EVERYONE.NET>
- Re: ACL question...
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: ACL question...
Next by Date: LDAPv2 doesn't work in 2.3.17
Index(es):
- Chronological
- Thread