[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: access control, groups/organizationalRole
- To: openldap-technical@openldap.org
- Subject: Re: access control, groups/organizationalRole
- From: Frederik Bosch <frederik.bosch@gmail.com>
- Date: Thu, 26 Aug 2010 16:01:16 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=hesJAwEUGnCao33+Av9Y6gHMUqQRxx9GMzwDBDqpHK4=; b=YROIgnF4nzhuqGRK67F2pU+kuYUtKDayWRJZX+I6zPRKi+AwfgyJLfG4GygsUoNfTr 4VKqK57bn0XhI89JVG/SUvLhwV85sMjgcBJPoenmO4s6FdREjC5WCtYMlq2X0bnAbRZ5 t8mVmVtlwnKnuSci5eWnMlXdGr+sMhGDlqy0o=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; b=BfcVGKJtvuLiVwDn/bF9HHgjK1yG+kxEt19lCHf6urUN4ZVjRPoMp/LcaJGV3tSkWm iV/7JpOQlQLH2kKgu/4NcQsRO4gKHKnJ6TsHx/uxNj3Tglg0+PuH6WmKiWsqQN7HB5Io hRFeCzERozSrM/R33pcO+fkj5rcEp4DzQ1Dh8=
- In-reply-to: <4C76326A.8040207@gmail.com>
- References: <4C729BBE.2020204@gmail.com> <4C750E32.9030503@gmail.com> <4C762A06.8010804@gmail.com> <4C76326A.8040207@gmail.com>
- User-agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; nl; rv:1.9.2.8) Gecko/20100802 Thunderbird/3.1.2
Unfortunately. I can't get it working. Thanks again though! I am still
not able to read, only auth/bind.
Suppose I have the following setup.
dn= cn=Role Example 1,o=Organization
objectClass: organizationalRole
cn: Role Example
roleOccupant: uid=webmaster@example.com,ou=Partners,o=Organization
roleOccupant: uid=admin@example.com,ou=Partners,o=Organization
roleOccupant: uid=root@example.com,ou=Partners,o=Organization
dn= cn=Role Example 2,o=Organization
objectClass: organizationalRole
cn: Role Example 2
roleOccupant: uid=webmaster@example.co.uk,ou=Other,o=Organization
roleOccupant: uid=admin@example.co.uk,ou=Other,o=Organization
roleOccupant: uid=root@example.co.uk,ou=Other,o=Organization
dn= cn=Role Example N,o=Organization
objectClass: organizationalRole
cn: Role Example N
roleOccupant: uid=xx,ou=Misc,o=Organization
roleOccupant: uid=yy,ou=Misc,o=Organization
roleOccupant: uid=zz,ou=Misc,o=Organization
Now I want assign read access to the complete LDAP tree for all
occupants of a organizationalRole.
Thanks,
Frederik
Op 26-8-2010 11:22, Frederik Bosch schreef:
By the way. This seems to be correct syntax, but does not give me the
correct result.
access to attrs=uid,userPassword
by anonymous auth
by * none
access to *
by group/organizationalRole/roleOccupant.regex=".+" read
by * none
I am able to bind, but not to read the tree.
Frederik
Op 26-8-2010 10:47, Frederik Bosch schreef:
Thanks again Dieter. That looks way to difficult for me :). I
changed some things. Now suppose that I want to assign read access to
every roleOccupant in a organizationalRole.
access to * by group/organizationalRole/roleOccupant read
But that's not correct syntax. Slapd won't start. It has to be like
this:
access to * by group/organizationalRole/roleOccupant="<DN>" read
What syntax do I need to let "<DN>" match the whole tree?
Thanks for the help,
Frederik
Op 25-8-2010 14:36, Frederik Bosch schreef:
That's not what I mean, but thanks for your suggestion.
Let me try to rephrase. Suppose I have an organizationalRole located
in Amsterdam and Rotterdam. Now I only want to assign rights to all
occupants of the organizationalRole located in Amsterdam.
In xpath-like syntax, this would look like this.
access to * by
group/organizationalRole[@location="Amsterdam"]/roleOccupant read
How do I need to rewrite this for slapd?
Thanks,
Frederik
On 08/23/2010 06:03 PM, Frederik Bosch wrote:
Hello,
I am trying to setup an access control rule, but failed. All occupants
of the objectClass organizationalRole which has a certain location may
have read access. How do I setup this rule in slapd.conf?
This is my line at the moment. This matches the dn of the occupant.
But
how do I match the location attribute of the organizationalRole?
access to * by
group/organizationalRole/roleOccupant="cn=Administrator,dc=example,dc=com"
read
Thanks in advance,
Frederik