[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL for DIT structure rules



Andrew, thank you for your reply. It make sense. I will try this sometime soon, and will report the results.


Andrew Findlay wrote:
On Mon, Dec 01, 2008 at 05:17:28PM -0400, Mansour Al Akeel wrote:

In a previous email, I was told that we can implement *DIT* *structure* rules with openldap using ACL (http://www.openldap.org/lists/openldap-technical/200811/msg00152.html). Did any one have any success implementing these rules with ACL. I have searched the net for an example, but out of luck. Possibly a simple example will help a lot, just to give me an idea about the syntax for a DIT structure rule using ACL.

The basic idea is to restrict what can be created in each part of the DIT. Suppose you have a node called cn=people,dc=example,dc=org and you want to make sure that all nodes under it describe people. You might write rules like this:

access to dn.exact="cn=people,dc=example,dc=org"
        attrs=children
        by dn.exact="cn=admin,cn=people,dc=example,dc=org" write
        by * read

access to dn.onelevel="cn=people,dc=example,dc=org"
        filter="(objectClass=inetOrgPerson)"
        by dn.exact="cn=admin,cn=people,dc=example,dc=org" write
        by * read

The first rule allows the admin to create entries under the
"cn=people,dc=example,dc=org" node.

The second rule says that the admin is allowed to write entries that
are exactly one level below "cn=people,dc=example,dc=org" and that
have objectClass=inetOrgPerson.

If no other rules give the admin user write permissions in this
part of the DIT then you effectively have a structure rule.
The admin only has write permission if the entry has the correct
objectclass, so they cannot add something different.

I have used rules of this sort in the past, but ITS#4556 suggests
that there are cases where they do not work. See recent discussion:
http://www.openldap.org/lists/openldap-devel/200811/msg00014.html
I have rules very similar to the example above which I have just
tested on 2.3.27 and they work OK.... My actual rules use regex
but I simplified them for this message.

Andrew