Florian Best wrote: > * How to allow the creation of objects with a specific objectclass only? http://www.openldap.org/faq/data/cache/1474.html The FAQ-O-MATIC does not look fancy but contains lots of useful access control examples. > All of the following examples aren't doing their job when *creating* an > entry. You probably need "add_content_acl yes" as mentioned in the FAQ above. > Some further suggestions for the development are: > > * It would reduce a lot of redundancy if multiple "to" statements could > be used in one ACL definition (so that the different by clauses doesn't > always need to be copied). Or you could use templating provided with ansible/puppet/saltstack/chef... > * If the "by" clause would also have a filter="" one wouldn't need to > use "set"s anymore - sets are slower and doesn't even work with all > things (e.g. if you have special characters in the DN). Are you aware that you can have hex-escaped bytes in DN string representations? > There is no way > to escape "]" / "[" and urlencode things which are e.g. used in a LDAP > URI filter. This can even lead to security issues. Do you have a detailed example? > * ACL rules can't be bound to the ldap operation (search, auth, add, > modify, delete, ...), you can only remove e.g. some of the permission > bits (e.g. access to if-operation="search" ...) Setting the privileges is IMO sufficient. > * Using backreferences of the DN in the filter="" or attrs="" would also > be very handy (how to restrict e.g. the "uid" value to be only what's in > the DN of the target/operating user?) Use set-based constraints. In general slapo-constraint is your fried for constraining attribute values. Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature