[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL for DIT structure rules
On Mon, Dec 01, 2008 at 05:17:28PM -0400, Mansour Al Akeel wrote:
> In a previous email, I was told that we can implement *DIT* *structure*
> rules with openldap using ACL
> (http://www.openldap.org/lists/openldap-technical/200811/msg00152.html).
> Did any one have any success implementing these rules with ACL. I have
> searched the net for an example, but out of luck. Possibly a simple
> example will help a lot, just to give me an idea about the syntax for a
> DIT structure rule using ACL.
The basic idea is to restrict what can be created in each part of the
DIT. Suppose you have a node called cn=people,dc=example,dc=org and
you want to make sure that all nodes under it describe people. You might
write rules like this:
access to dn.exact="cn=people,dc=example,dc=org"
attrs=children
by dn.exact="cn=admin,cn=people,dc=example,dc=org" write
by * read
access to dn.onelevel="cn=people,dc=example,dc=org"
filter="(objectClass=inetOrgPerson)"
by dn.exact="cn=admin,cn=people,dc=example,dc=org" write
by * read
The first rule allows the admin to create entries under the
"cn=people,dc=example,dc=org" node.
The second rule says that the admin is allowed to write entries that
are exactly one level below "cn=people,dc=example,dc=org" and that
have objectClass=inetOrgPerson.
If no other rules give the admin user write permissions in this
part of the DIT then you effectively have a structure rule.
The admin only has write permission if the entry has the correct
objectclass, so they cannot add something different.
I have used rules of this sort in the past, but ITS#4556 suggests
that there are cases where they do not work. See recent discussion:
http://www.openldap.org/lists/openldap-devel/200811/msg00014.html
I have rules very similar to the example above which I have just
tested on 2.3.27 and they work OK.... My actual rules use regex
but I simplified them for this message.
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------