[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap ACLS with regex

To: Jeronimo Zucco <jczucco@ucs.br>
Subject: Re: ldap ACLS with regex
From: Pierangelo Masarati <ando@sys-net.it>
Date: Mon, 14 May 2007 23:45:21 +0200
Cc: openldap-software@openldap.org
In-reply-to: <4648C694.70203@ucs.br>
References: <4648A4F6.4050509@ucs.br> <cee681b00705141237p47196fbdjf0f5eaa2af6003c5@mail.gmail.com> <4648C694.70203@ucs.br>
User-agent: Mail/News 1.5.0.8 (X11/20061210)

Jeronimo Zucco wrote:
> Sam Tran escreveu:
>>
>> access to dn.regex="^ou=ImpPrefs,uid=([^,]+),ou=People,dc=domain,dc=br$"
>> attrs=children
>>      by dn.regex,expand="uid=$1,ou=people,dc=domain,dc=br" write
>>      by * none
>>
>> access to dn.regex="^cn=([^,]+),ou=PersonalAddressBook,dc=domain,dc=br$"
>> attrs=children
>>      by dn.regex,expand="uid=$1,ou=people,dc=domain,dc=br" write
>>      by * none
>>
>> Sam
> 
> Thanks for the help for everyone.
> 
> ImpPrefs works ok with:
> 
> access  to dn.regex="^.*,uid=([^,]+),(.*),ou=People,dc=domain,dc=br$"
>        by dn.exact,expand="uid=$1,$2,ou=People,dc=domain,dc=br"   write
>        by *                                            none
> 
> 
> But PersonalAddressBook still with problems.
> 
> With:
> access to
> dn.regex="^cn=([^,]+),ou=PersonalAddressBook,dc=domain,dc=br$" 
> attrs=children
>     by dn.regex,expand="uid=$1,ou=people,dc=domain,dc=br" write
>     by * none
> 
> Everyone access PersonalAddressBook from others.
> 
> With:
> access to dn.regex="^.*,(uid=[^,]+,.+,ou=People,dc=domain,dc=br)$"
> by dn.exact,expand="$1" write
> 
> Is to much permissive, I guess.

Your guess is wrong.  They're perfectly equivalent, but mine is much
more efficient.  But please, keep guessing...

> 
> I try also:
> access  to dn.regex="ou=([^,]+),ou=PersonalAddressBook,dc=domain,dc=br$"
>        by dn.exact,expand="uid=$1,.*"               write
>        by anonymous                       read
> 
> Not work.
> 
> 
> access  to
> dn.regex="^.*,ou=([^,]+),ou=PersonalAddressBook,dc=domain,dc=br$"
>        by dn.exact,expand="uid=$1,.*"             write
>        by anonymous                                                read
> 
> not work either :-(
> 
> 
> This is an ACL mistery :-)
> 
> If you have more suggestions, I will apreciate.

What about a brute force approach, piping /dev/random into slapd.conf?

Or, try (please replace "dc=suffix" with your suffix; I had to use it
otherwise my mailer would automatically wrap stuff)

# allow to write the "ou=ImPrefs" below self (must exist)
access to
	dn.regex="^ou=ImPrefs,uid=([^,]+,ou=People,dc=suffix)$"
	by dn.exact,expand="uid=$2" write

# allow to create objects in one's addressbook (must exist)
access to
	dn.regex="cn=([^,]+),ou=PersonalAddressBook,dc=suffix$"
	attrs=children
	by dn.exact,expand="uid=$1,ou=People,dc=suffix" write

# allow to create objects in one's addressbook
access to
	dn.regex="(.+,)?cn=([^,]+),ou=PersonalAddressBook,dc=suffix$"
	by dn.exact,expand="uid=$2,ou=People,dc=suffix" write

I note that if you need to do something special, like allow a user to
create the "ou=ImPrefs" entry, or the "cn=<uid>" entry in
"ou=PersonalAddressBook,dc=suffix", then you'll need more rules to allow
entry and children writing.

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------

Follow-Ups:
- Re: ldap ACLS with regex
  - From: Jeronimo Zucco <jczucco@ucs.br>

References:
- ldap ACLS with regex
  - From: Jeronimo Zucco <jczucco@ucs.br>
- Re: ldap ACLS with regex
  - From: "Sam Tran" <stlist@gmail.com>
- Re: ldap ACLS with regex
  - From: Jeronimo Zucco <jczucco@ucs.br>

Prev by Date: Re: chain-overlay question
Next by Date: Re: configuration in the db
Index(es):
- Chronological
- Thread