[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL syntax with wildcards

To: Nick Milas <nick@eurobjects.com>
Subject: Re: ACL syntax with wildcards
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Tue, 27 Mar 2012 15:43:01 +0200
Cc: openldap-technical <openldap-technical@openldap.org>
In-reply-to: <4F71B142.8010504@eurobjects.com>
References: <4F48C86C.6070804@eurobjects.com> <4F497A3E.5010606@symas.com> <4F4A15E0.4060908@eurobjects.com> <4F71B142.8010504@eurobjects.com>
User-agent: Roundcube Webmail/0.4.2

Nick Milas wrote:

Let me re-phrase: Can we express the following three statements using
ONE ACL statement? I haven't been able to find a solution.

access to dn.subtree="ou=people,dc=example,dc=com"
filter="(ou=dept1)" attrs="attr1,attr2"

by group.exact="cn=dept1Admins,ou=Groups,dc=example,dc=com"write

[...same with other depts...]


This should work with normal OU names, but I'd feel nervous using it

since OU names involving '] ... [' would give an "ACL injectionattack":


access to dn.subtree="ou=people,dc=example,dc=com"
	attrs="attr1,attr2" filter="(ou=dept*)"

by set.exact="user & ([cn=] + this/ou +[Admins,ou=Groups,dc=example,dc=com])/member" write


I'd feel safer with the group DN of the admin in an attribute in
the entry (here the owner attribute):

access to dn.subtree="ou=people,dc=example,dc=com"
	attrs="attr1,attr2" filter="(owner=*)"
	by set.exact="user & this/owner/member" write

OTOH anyone who has access to update the OU or owner attribute can give
themselves admin access anyway, so hopefully only admins can do that.

--
Hallvard

References:
- Re: ACL syntax with wildcards
  - From: Nick Milas <nick@eurobjects.com>

Prev by Date: RE: ACL syntax with wildcards
Next by Date: Re: ACL syntax with wildcards
Index(es):
- Chronological
- Thread