[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL in dynamic configuration
- To: openldap-technical@openldap.org
- Subject: Re: ACL in dynamic configuration
- From: harry.jede@arcor.de
- Date: Fri, 16 Mar 2012 17:34:12 +0100
- Cc: Nick Milas <nick@eurobjects.com>
- Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=arcor.de; s=mail-in; t=1331915655; bh=CMrPFg2flK87PeDfzrgOPC/fWkQREbEqELQqyOgTcMc=; h=From:To:Subject:Date:Cc:References:In-Reply-To:MIME-Version: Content-Type:Message-Id; b=gbIMLcEz99xG83Vte+7iu8KNC8vhqZsA5jweQ7SAl8SYo/or5iT3f1q/ru7l7mCAG XDOz8tO/2XIiNUr0KRdSnZTgRiz3mE/MY0hc3QYewIySq3T/bk34F0JeT5HlVSfhnh W0WTA2o0tNSbkKVQh+BQHSiM3Y2hglg5PE8rdpLk=
- In-reply-to: <4EF3ADCC.4010409@eurobjects.com>
- References: <4EF3ADCC.4010409@eurobjects.com>
- User-agent: KMail/1.13.5 (Linux/2.6.32-5-amd64; KDE/4.4.5; x86_64; ; )
Nick Milas wrote:
> Question 2.
> Is there a way we can add (manually, since conversion removed the
> ones which existed in initial configuration files) line breaks in
> olcAccess attribute value so it can be more legible (for
> administrative purposes)?
*You do not like this:*
dn: olcDatabase={-1}frontend,cn=config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth manage by * break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=Subschema" by * read
*but prefer something like this:*
dn: olcDatabase={-1}frontend,cn=config
olcAccess: to *
by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
by * break
olcAccess: to dn.exact=""
by * read
olcAccess: to dn.base="cn=Subschema"
by * read
I think it is legible.
And the openldap ldif parser is still happy.
The quite old streamline editor sed helps.
#!/bin/sed -rf
# Author: Harry Jede
# produce human readable but still machine parseable
# olcAccess lines and removes the ordering numbers in {}
# because humans don't need them, really.
# the hole script
s/^(olcAccess: )\{[[:digit:]]+\}(.*$)/\1\2/
$!{H;d}
${H;g;s/\n //g;s/[[:space:]]+by /\n by /g}
Use the script at your own risk! I have written it some month ago and it
works for me. I do not cover that an entry in an ACL has the keyword *by*
in the DN. Something like this:
"cn=produced by company,dc=example,dc=com"
Usage examples on a Debian system:
a) small data
# ldapsearch -LLLY external -H ldapi:/// -b 'olcDatabase={1}monitor,cn=config' 'olcaccess=*' olcaccess 2>/dev/null|fmt_olcAccess
dn: olcDatabase={1}monitor,cn=config
olcAccess: to *
by dn.exact="cn=admin,dc=delixs-schule,dc=de" read
by set="[cn=admin,dc=delixs-schule,dc=de]/roleOccupant/member & user" read
by * none
b) mouch more data
slapcat -n0 |fmt_olcAccess |less
--
Harry Jede
#!/bin/sed -rf
# Author: Harry Jede
# produce human readable but still machine parseable
# olcAccess lines and removes the ordering numbers in {}
# because humans don't need them, really.
# the hole script
s/^(olcAccess: )\{[[:digit:]]+\}(.*$)/\1\2/
$!{H;d}
${H;g;s/\n //g;s/[[:space:]]+by /\n by /g}