[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs based on attributes?

To: Jaap Winius <jwinius@umrk.nl>
Subject: Re: ACLs based on attributes?
From: Howard Chu <hyc@symas.com>
Date: Mon, 01 Feb 2010 08:15:30 -0800
Cc: Dieter Kluenter <dieter@dkluenter.de>, openldap-technical@openldap.org
In-reply-to: <20100201155141.ycwnao1ipnhcgg8w@www.umrk.nl>
References: <20100131010132.mt6mxu5o88xco440@www.umrk.nl> <87ljfelldy.fsf@rubin.avci.de> <20100131191207.vscokx4vl81wkgkg@www.umrk.nl> <0C0E6F46B05952CDC1ADD5F6@[192.168.1.2]> <CA7C716EA83297CEDF0C378E@[192.168.1.2]> <20100131232254.xvrzz17d9a684o8g@www.umrk.nl> <87636hzaf3.fsf@rubin.avci.de> <20100201155141.ycwnao1ipnhcgg8w@www.umrk.nl>
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; rv:1.9.3a1pre) Gecko/20100131 SeaMonkey/2.0a1pre Firefox/3.0.3

Jaap Winius wrote:

Quoting Dieter Kluenter<dieter@dkluenter.de>:

this rule should do the trick:
access to dn.regex="cn=([^,]+),ou=whatsoever$"
           attrs=telephoneNumber
        by set="user/title&  [telephoneManager]" write


Yes!!!

This is what I'm using now:

     access to attrs=telephoneNumber
          by set="user/title&  [telephonemanager]" write
          by users read

This works for a user with attr title=telephonemanager. However, to
demonstrate the flexibility of this set rule...

     access to attrs=telephoneNumber
          by set="user/description&  [telephonemanager]" write
          by users read

... this works for a user with attr description=telephonemanager!

This is cool regardless, but I think my NIU-friend would say that it's
cool because this set rule allows you to give users telephonemanager
privileges without the need to maintain a telephonemanager group.

Actually, I think this solution can be improved upon significantly.
For example, what if our privileged user had this attribute:

     description: titlemanager telephonemanager addressmanager

Can a a set rule be devised to match not only users with a description
value that equals "telephonemanager", but also one that includes it in
a longer string? We would need something like:

     access to attrs=telephoneNumber
          by set="user/description&  [*telephonemanager*]" write
          by users read

Only, that doesn't work.

Is this possible?

It is unnecessary. The description attribute is multivalued, just use itcorrectly.


description: titlemanager
description: telephonemanager
description: addressmanager

I'll also note that using a set for this purpose is still inferior to using adynamic group, in terms of performance. Dynamic group evaluations are cached,sets are not.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

References:
- Re: ACLs based on attributes?
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: ACLs based on attributes?
  - From: Jaap Winius <jwinius@umrk.nl>

Prev by Date: Re: ACLs based on attributes?
Next by Date: Re: ACLs based on attributes?
Index(es):
- Chronological
- Thread