[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL with val.regex expression - workaround found

To: openldap-technical@openldap.org
Subject: Re: ACL with val.regex expression - workaround found
From: Mark Dieterich <mkd@cs.brown.edu>
Date: Fri, 18 Oct 2013 09:00:09 -0400
In-reply-to: <525EF537.40307@polimi.it>
References: <52586116.40101@cs.brown.edu> <20131012085830.25b519dc@pink.avci.de> <525EDD3E.5000100@cs.brown.edu> <525EF537.40307@polimi.it>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0.1

I never figured out how to get any of the val.<type>=<value>
restrictions to meet my needs, so I resorted to using sets to accomplish
what I wanted.  In case anyone else is every trying to do something
similar, here is what I ended up with for an ACL statement:

access to dn.regex="uid=.*,ou=people,dc=cs,dc=brown,dc=edu" attrs=loginShell
  by ssf=128 set="(this & user)/loginShell & ([/bin/csh] | [/bin/sh] |
...) write

By doing this, I ensure the user is editing their own entry and that the
current value of the loginShell variable is amongst the list of shells I
permit people to change away from.  I also have an explicit constraint
on loginShell:

constraint_attribute loginShell regex ^(/bin/csh|/bin/sh|...)

earlier in the configuration, which limits what users can set their
shell to.

Hope this saves some people from the week or so of ACL fun I've been
enjoying ;)

Thanks to everyone who posted suggestions!

Mark

References:
- ACL with val.regex expression
  - From: Mark Dieterich <mkd@cs.brown.edu>
- Re: ACL with val.regex expression
  - From: Dieter KlÃnter <dieter@dkluenter.de>
- Re: ACL with val.regex expression
  - From: Mark Dieterich <mkd@cs.brown.edu>
- Re: ACL with val.regex expression
  - From: Pierangelo Masarati <pierangelo.masarati@polimi.it>

Prev by Date: Re: Subject Alternative Name in TLS - does this work?
Next by Date: Re: Subject Alternative Name in TLS - does this work?
Index(es):
- Chronological
- Thread