[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Controlling access based on group membership

To: openldap-technical@openldap.org
Subject: Re: Controlling access based on group membership
From: Dieter KlÃnter <dieter@dkluenter.de>
Date: Mon, 20 Feb 2012 22:14:03 +0100
In-reply-to: <4F42AB63.40404@eurobjects.com>
Organization: AVCI
References: <4F423242.5000100@eurobjects.com> <4F42AB63.40404@eurobjects.com>

Am Mon, 20 Feb 2012 22:21:55 +0200
schrieb Nick Milas <nick@eurobjects.com>:

> On 20/2/2012 1:45 ÎÎ, Nick Milas wrote:
> 
> > I would like to ask the list:
> > 1. Can someone demonstrate how we should formulate an ACL which
> > would accomplish the above? The ACL should say:
> > access to <some entries> <some attribute>
> >     by {a DN which belongs to a Group specified in the AdminGroups 
> > attr of the entry} write
> >     by {a DN which belongs to a Group specified in the ReadGroups
> > attr of the entry} read
> >     by {a DN which belongs to a Group specified in the SearchGroups 
> > attr of the entry} search
> >
> > 2. Is there an existing (included in the distribution or available 
> > from a third-party) schema or similar mechanism available (so that
> > I don't re-invent the wheel)?
> >
> 
> Reading through
> http://www.openldap.org/doc/admin24/access-control.html, I came to
> the conclusion that this could work if we specify:
> 
>   access to <some entries> <some attributes>
>      by dnattr=AdminGroups write
>      by dnattr=ReadGroups read
>      by dnattr=SearchGroups search
> 
> Will this work if the DNs included in these attributes are, as I have 
> described, of the following form:
> 
>     cn=<someAdmins>,ou=Groups,dc=example,dc=com
> 
> and these are in turn defined as:
> dn: cn=<someAdmins>,ou=Groups,dc=example,dc=com
> objectClass: groupOfNames
> cn: TechAdmins
> member: uid=<user1>,ou=people,dc=example,dc=com
> member: uid=<user2>,ou=people,dc=example,dc=com
> 
> ...??
> 
> Please, advise.

The AdminGuide (and slapd.,access(5) clearly say
[dnattr=<attrname>]
that is, attribute name is commonName or telephoneNumber, but not an
attribute value like AdminGroups.

access to <some entries> <some attrs>
	by group.exact=cn=someAdmins,ou=Group,dc=example,dc=com write
	by group.exact=cn=ReadGroups,ou=Group,dc=example,dc=com read
	...

would be the correct rule set.

-Dieter

-- 
Dieter KlÃnter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53Â37'09,95"N
10Â08'02,42"E

Follow-Ups:
- Re: Controlling access based on group membership
  - From: Nick Milas <nick@eurobjects.com>

References:
- Controlling access based on group membership
  - From: Nick Milas <nick@eurobjects.com>
- Re: Controlling access based on group membership
  - From: Nick Milas <nick@eurobjects.com>

Prev by Date: Re: Controlling access based on group membership
Next by Date: Re: Controlling access based on group membership
Index(es):
- Chronological
- Thread