[Date Prev][Date Next] [Chronological] [Thread] [Top]

understanding ACLs: dn.subtree vs. attrs=@something

To: openldap-technical@openldap.org
Subject: understanding ACLs: dn.subtree vs. attrs=@something
From: Isaac Hailperin <hailperin@zib.de>
Date: Tue, 16 Nov 2010 18:48:22 +0100
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.15) Gecko/20101027 Thunderbird/3.0.10

Hi,

I am trying to build acls suitable to my setup:

I have posix accounts in ou=people,ou=unix,dc=acme,dc=org
and some more information about users (defined in an object class called
"acmeUserAccount") in ou=people,ou=useradm,dc=acme,dc=org.

Each posix account has a corresponding record in ou=useradm. Theserecord pairs are connected by having the uid attribute defined equally.

Now I want to restrict access to the ou=useradm tree, but not theou=unix tree.

As far as I can
understand, there are at least two ways to do so:

1. using something like
access to dn.subtree="ou=useradm,dc=acme,dc=org"
  by group="cn=useradmins,ou=group,ou=unix,dc=acme,dc=org" write
  by group="cn=consultants,ou=group,ou=unix,dc=acme,dc=org" read
  by * none

This works as expected - giving write access to members of useradmins,and read access to members of consultants.


2. using something like
access to attrs=@acmeUserAccount
  by group="cn=useradmins,ou=group,ou=unix,dc=acme,dc=org" write
  by group="cn=consultants,ou=group,ou=unix,dc=acme,dc=org" read
  by * none

This also works as expected with regards to acmeUserAccount, but hasfunny side effects on ou=unix.

To my understanding these two methods should have the same effect, as Ionly have records of type acmeUserAccount underneth ou=useradm.But: if I use 2), users don't have access to their data undernethou=unix. Only the two groups mentioned have access to ou=unix as definedfor acmeUserAccount.

I read that using  attrs=@someObjectClass affects also attributes that
are defined in object classes that someObjectClass inherits from.
My object class is defined as follows:

objectclass
  (
      managementOC:1
      NAME 'acmeUserAccount'
      DESC 'Attributes needed for acme user management'
      SUP top STRUCTURAL
      MUST ( uid $ email )
      MAY ( $ givenName $ surname $ federalState  )
      )

So it should inherit only from top, which I thought of as some abstractclass

without any attributes.
Can someone explain this behaviour to me?

Regards,
Isaac

Follow-Ups:
- Re: understanding ACLs: dn.subtree vs. attrs=@something
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: Re: I'm completely confused by ACLs ... @-)
Next by Date: Re: understanding ACLs: dn.subtree vs. attrs=@something
Index(es):
- Chronological
- Thread