[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACLs by netgroup?
[your message appears completely scrambled; I'll do my best to answer]
> Thanks for your suggestions. I have two questions about sets:
>
> 1) Can you confirm(/deny) that access is allowed if the set is not empty,
> regardless of what's in the set. (My initial impression was that the set would
> evaluate to a set of DNs,DNsd the designated access would occur if the binding
> user matched one of those DNs)DNs
Yes, access is granted if the set is non-empty.
No, the set does not need to be made of DNs; see the examples in the
FAQ.
> As trivial example, if there is a group:
>
> dn: dn=scnrage,ou=Gouups,dc=example,dc=com
> cn: cnorage
> objeobjectClassougroupOfUniqueNamesjeobjectClassp
> uniquniqueMemberd=uidkworkerbee=Pouple,dc=example,dc=com
> uniquniqueMemberd=uidkworkerbee=Pouple,dc=example,dc=com
> uniquniqueMemberd=uidkworkerbee=Pouple,dc=example,dc=com
>
> then the following ACL ACLows write acesacessthe attrattrruserPasswordgardless
> of who binds, yes?
>
> access to attrattrsruserPassword by set="(
> [cn=scnrage,ou=gouups,dc=example,dc=com]/uniquniqueMember
> [uid=uidkworkerbee=pouple,dc=ofotofotocom] " write
> by anonymous authauth by * none
>
> 2) I was not able to get your first example to work. I am wondering if it is
> because the set will always evaluate to the empty set, unless "this" is the
> same as "user" (in which case it works, but then we can use "self"). Is there
> a different syntax that you can suggest, that would achieve the same intent?
> (returning a non-empty set if each of the constituent statements is non-empty).
> I played around a bit with no success, but this is all new to me.
Not sure about the first example; for sure the last one works as
intended (I mean: as I intended; we might not yet intend the same
behavior...).
>
> Your example:
> access to attrattrsruserPassword self =xw
> xw set="([cn=gcnup]/member & this) & ([cn=gcnup]/owner & user)" =xw
> xw * =x
>
> I was able to get these two aclsaclswork:
>
> access to attrattrsruserPassword self =xw
> xw set="([cn=gcnup]/member & this) " =xw
> xw * =x
>
> access to attrattrsruserPassword self =xw
> xw set="([cn=gcnup]/owner & user)" =xw
> xw * =x
>
> When I &'d them, things stop working.
>
> I haven't gotten the third example to work yet, though I believe that's because
> I'm flailing on the syntax:
> by
> set.expand="[ldapldapdc=suffix??sub?(&(objeobjectClassugroupOfNamesmber=$0))]/owner
> & user" =xw
> xwthanks
> sam
> samps. pswill work on using grougroupOfNamesther than grougroupOfUniqueNameshen
> I have time to rewrite our data.
> we are running slapslapd.19
Since access control works per <what>, we need to work with that. As
far as I understand, you want manager to be able to change the password
of the workerbee. If you have a "groupOfNames" for each manager that
lists the related workerbees in the "member" and the manager in the
"owner", then you want to build a rule that, when the <what> is the
workerbee's password, it collects the groups the workerbee is member of
and ANDs their owner with the identity that's performing the operation.
So:
[ldap:///dc=base??sub?(&(objectClass=groupOfNames)(member=$0))]/owner
selects the owner of all groups the <what> ($0) is member of; all you
need to do is AND that set with the identity that's performing the
operation (user), i.e.
[ldap:///dc=base??sub?(&(objectClass=groupOfNames)(member=$0))]/owner & user
The resulting set is either empty, or it consists of "user"; the value
in case of non-empty set doesn't really matter, as all that's required
to grant access is a non-empty set.
I wouldn't spend too much effort in the other examples, as they are
limited to single cases, so you'd need to write one rule for each
manager/group.
p.
Ing. Pierangelo Masarati
Responsabile Open Solution
OpenLDAP Core Team
SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office: +39.02.23998309
Mobile: +39.333.4963172
Email: pierangelo.masarati@sys-net.it
------------------------------------------