[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs by netgroup?



thanks for your answers and sorry about the scrambling...not sure what
happened, but it looks like you figured out what I was asking.

I found syntax that works for the first two examples.  It is discussed here:

http://www.openldap.org/lists/openldap-devel/200503/msg00080.html
 which is a follow up to 
http://www.openldap.org/lists/openldap-devel/200503/msg00048.html

Essentially, one can use the "+" operator, like so:

(user/uid & [cn=A]/memberUid) + (this/uid & [cn=B]/memberUid)

to return the empty set if one of the constituent sets are empty.  

Still, your third example is more general.  

thanks again for all of your help!



--- Pierangelo Masarati <ando@sys-net.it> wrote:

> [your message appears completely scrambled; I'll do my best to answer]
> 
> 
> > Thanks for your suggestions.  I have two questions about sets:
> > 
> > 1) Can you confirm(/deny) that access is allowed if the set is not empty,
> > regardless of what's in the set.  (My initial impression was that the set
> would
> > evaluate to a set of DNs,DNsd the designated access would occur if the
> binding
> > user matched one of those DNs)DNs
> 
> Yes, access is granted if the set is non-empty.
> No, the set does not need to be made of DNs; see the examples in the
> FAQ.
> 
> > As trivial example,  if there is a group:
> > 
> > dn: dn=scnrage,ou=Gouups,dc=example,dc=com
> > cn: cnorage
> > objeobjectClassougroupOfUniqueNamesjeobjectClassp
> > uniquniqueMemberd=uidkworkerbee=Pouple,dc=example,dc=com
> > uniquniqueMemberd=uidkworkerbee=Pouple,dc=example,dc=com
> > uniquniqueMemberd=uidkworkerbee=Pouple,dc=example,dc=com
> > 
> > then the following ACL ACLows write acesacessthe
> attrattrruserPasswordgardless
> > of who binds, yes?
> > 
> > access to attrattrsruserPassword      by set="(
> > [cn=scnrage,ou=gouups,dc=example,dc=com]/uniquniqueMember
> > [uid=uidkworkerbee=pouple,dc=ofotofotocom] " write
> >         by anonymous authauth      by * none
> > 
> > 2)  I was not able to get your first example to work. I am wondering if it
> is
> > because the set will always evaluate to the empty set, unless "this" is the
> > same as "user" (in which case it works, but then we can use "self").   Is
> there
> > a different syntax that you can suggest, that would achieve the same
> intent? 
> > (returning a non-empty set if each of the constituent statements is
> non-empty).
> >  I played around a bit with no success, but this is all new to me.
> 
> Not sure about the first example; for sure the last one works as
> intended (I mean: as I intended; we might not yet intend the same
> behavior...).
> 
> >  
> > Your example:
> > access to attrattrsruserPassword self =xw
> > xw set="([cn=gcnup]/member & this) & ([cn=gcnup]/owner & user)" =xw
> > xw * =x
> > 
> > I was able to get these two aclsaclswork:
> > 
> > access to attrattrsruserPassword self =xw
> > xw set="([cn=gcnup]/member & this) " =xw
> > xw * =x
> > 
> > access to attrattrsruserPassword self =xw
> > xw set="([cn=gcnup]/owner & user)" =xw
> > xw * =x
> > 
> > When I &'d them, things stop working.
> > 
> > I haven't gotten the third example to work yet, though I believe that's
> because
> > I'm flailing on the syntax:  
> > by
> >
>
set.expand="[ldapldapdc=suffix??sub?(&(objeobjectClassugroupOfNamesmber=$0))]/owner
> > & user" =xw
> > xwthanks
> > sam
> > samps. pswill work on using grougroupOfNamesther than
> grougroupOfUniqueNameshen
> > I have time to rewrite our data.
> > we are running slapslapd.19
> 
> Since access control works per <what>, we need to work with that.  As
> far as I understand, you want manager to be able to change the password
> of the workerbee.  If you have a "groupOfNames" for each manager that
> lists the related workerbees in the "member" and the manager in the
> "owner", then you want to build a rule that, when the <what> is the
> workerbee's password, it collects the groups the workerbee is member of
> and ANDs their owner with the identity that's performing the operation.
> So:
> 
> [ldap:///dc=base??sub?(&(objectClass=groupOfNames)(member=$0))]/owner
> 
> selects the owner of all groups the <what> ($0) is member of; all you
> need to do is AND that set with the identity that's performing the
> operation (user), i.e.
> 
> [ldap:///dc=base??sub?(&(objectClass=groupOfNames)(member=$0))]/owner & user
> 
> The resulting set is either empty, or it consists of "user"; the value
> in case of non-empty set doesn't really matter, as all that's required
> to grant access is a non-empty set.
> 
> I wouldn't spend too much effort in the other examples, as they are
> limited to single cases, so you'd need to write one rule for each
> manager/group.
> 
> p.
> 
> 
> 
> 
> Ing. Pierangelo Masarati
> Responsabile Open Solution
> OpenLDAP Core Team
> 
> SysNet s.n.c.
> Via Dossi, 8 - 27100 Pavia - ITALIA
> http://www.sys-net.it
> ------------------------------------------
> Office:   +39.02.23998309          
> Mobile:   +39.333.4963172
> Email:    pierangelo.masarati@sys-net.it
> ------------------------------------------
> 
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com