[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Concerns with OLC (cn=config) for editing schema, ACLs, and deleting entries

To: "David N. Blank-Edelman" <dnb@ccs.neu.edu>, openldap-technical@openldap.org
Subject: Re: Concerns with OLC (cn=config) for editing schema, ACLs, and deleting entries
From: Quanah Gibson-Mount <quanah@zimbra.com>
Date: Tue, 20 Mar 2012 12:49:38 -0700
Content-disposition: inline
In-reply-to: <A589ACE5-7B3E-4B5A-B482-0623204B3740@ccs.neu.edu>
References: <315EABE9-81AD-4595-AAD5-6732BCCE0472@salk.edu> <4C0E0C82613A75F6DAF7E7E0@[192.168.1.20]> <94ABFC1C-B168-45C9-A7B4-1DFA5CBDCB12@salk.edu> <A589ACE5-7B3E-4B5A-B482-0623204B3740@ccs.neu.edu>

--On Tuesday, March 20, 2012 12:58 AM -0400 "David N. Blank-Edelman"<dnb@ccs.neu.edu> wrote:

To your original point: once those details are clear, I suspect it would
be relatively straightforward to write a slapacl command/script that
parsed the ACL .conf file format and then used Net::LDAP to twiddle
cn=config on a specified server accordingly.

From one of my scripts, that adjust acls 3, 7, and 8 for anonymous vs user

only read access:

if($options{d}) {
@acls=(

'{3}to attrs=objectclass by dn.children="cn=admins,cn=zimbra" write bydn.base="uid=zmpostfix,cn=appaccts,cn=zimbra" read bydn.base="uid=zmamavis,cn=appaccts,cn=zimbra" read by users read by *none','{7}to filter="(!(zimbraHideInGal=TRUE))"attrs=cn,co,company,dc,displayName,givenName,gn,initials,l,mail,o,ou,physicalDeliveryOfficeName,postalCode,sn,st,street,streetAddress,telephoneNumber,title,uid,homePhone,pager,mobile,userCertificateby dn.children="cn=admins,cn=zimbra" write bydn.base="uid=zmpostfix,cn=appaccts,cn=zimbra" read by users read by *none','{8}toattrs=zimbraId,zimbraMailAddress,zimbraMailAlias,zimbraMailCanonicalAddress,zimbraMailCatchAllAddress,zimbraMailCatchAllCanonicalAddress,zimbraMailCatchAllForwardingAddress,zimbraMailDeliveryAddress,zimbraMailForwardingAddress,zimbraPrefMailForwardingAddress,zimbraMailHost,zimbraMailStatus,zimbraMailTransport,zimbraDomainName,zimbraDomainType,zimbraPrefMailLocalDeliveryDisabledby dn.children="cn=admins,cn=zimbra" write bydn.base="uid=zmpostfix,cn=appaccts,cn=zimbra" read bydn.base="uid=zmamavis,cn=appaccts,cn=zimbra" read by * none',

);
}

if ($options{e}) {
@acls=(

'{3}to attrs=objectclass by dn.children="cn=admins,cn=zimbra" write bydn.base="uid=zmpostfix,cn=appaccts,cn=zimbra" read bydn.base="uid=zmamavis,cn=appaccts,cn=zimbra" read by * read','{7}to filter="(!(zimbraHideInGal=TRUE))"attrs=cn,co,company,dc,displayName,givenName,gn,initials,l,mail,o,ou,physicalDeliveryOfficeName,postalCode,sn,st,street,streetAddress,telephoneNumber,title,uid,homePhone,pager,mobile,userCertificateby dn.children="cn=admins,cn=zimbra" write bydn.base="uid=zmpostfix,cn=appaccts,cn=zimbra" read by * read','{8}toattrs=zimbraId,zimbraMailAddress,zimbraMailAlias,zimbraMailCanonicalAddress,zimbraMailCatchAllAddress,zimbraMailCatchAllCanonicalAddress,zimbraMailCatchAllForwardingAddress,zimbraMailDeliveryAddress,zimbraMailForwardingAddress,zimbraPrefMailForwardingAddress,zimbraMailHost,zimbraMailStatus,zimbraMailTransport,zimbraDomainName,zimbraDomainType,zimbraPrefMailLocalDeliveryDisabledby dn.children="cn=admins,cn=zimbra" write bydn.base="uid=zmpostfix,cn=appaccts,cn=zimbra" read bydn.base="uid=zmamavis,cn=appaccts,cn=zimbra" read by * read',

);
}



$mesg = $ldap->modify(
   $dn,
   delete => {olcAccess => '{3}'},
   );
$mesg = $ldap->modify(
   $dn,
       add =>{olcAccess=>"$acls[0]"},
   );
$mesg = $ldap->modify(
   $dn,
   delete => {olcAccess => '{7}'},
   );
$mesg = $ldap->modify(
   $dn,
   add => {olcAccess => "$acls[1]"},
   );
$mesg = $ldap->modify(
   $dn,
   delete => {olcAccess => '{8}'},
   );
$mesg = $ldap->modify(
   $dn,
       add =>{olcAccess=>"$acls[2]"},
   );
$ldap->unbind;

Again, the ability to delete an existing acl by its ordering is invaluable.So is the ability to do inserts in the ACL tables based on the orderingnumber.

Here's another bit I've done to modify an existing ACL when upgradingbetween Zimbra versions:


   my $entry=$result->entry($result->count-1);
   my @attrvals=$entry->get_value("olcAccess");
   my $aclNumber=-1;
   my $attrMod="";

   foreach my $attr (@attrvals) {
     if ($attr =~ /zimbraDomainName/) {
       ($aclNumber) = $attr =~ /^\{(\d+)\}*/;
       if ($attr !~ /uid=zmamavis,cn=appaccts,cn=zimbra/) {
         $attrMod=$attr;

$attrMod =~ s/by \* none/bydn.base="uid=zmamavis,cn=appaccts,cn=zimbra" read by \* none/;

       }
     }
   }

   if ($aclNumber != -1 && $attrMod ne "") {
     $result = $ldap->modify(
         $dn,
         delete => {olcAccess => "{$aclNumber}"},
     );
     $result = $ldap->modify(
         $dn,
         add =>{olcAccess=>"$attrMod"},
     );
   }



--Quanah


--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration

References:
- Concerns with OLC (cn=config) for editing schema, ACLs, and deleting entries
  - From: Chris Hiestand <chiestand@salk.edu>
- Re: Concerns with OLC (cn=config) for editing schema, ACLs, and deleting entries
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- Re: Concerns with OLC (cn=config) for editing schema, ACLs, and deleting entries
  - From: Chris Hiestand <chiestand@salk.edu>
- Re: Concerns with OLC (cn=config) for editing schema, ACLs, and deleting entries
  - From: "David N. Blank-Edelman" <dnb@ccs.neu.edu>

Prev by Date: Re: replication issues
Next by Date: Re: Partial replication, remove branch
Index(es):
- Chronological
- Thread