[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Dynamic ACL in OpenLDAP with set:expand not working
On Tue, Aug 20, 2019 at 10:22:56PM +0200, Martin W. wrote:
> Dear OpenLDAP technical list,
>
> I‘ve been running into a little problem with my permission structures
> – and was wondering if you could help me with it.
>
> I want the members of a group to administer a tree structure, the
> group is member of it. I've tried some acl settings – I'll post my
> trials below the basic structure.
>
> I've tried some different things ... and none Regex was successful :(
> Since I'll post some fragments, I put every LDIF fragment within such
> a bash fragment:
>
>> olcAccess: to *
>> by self write
>> by dn="cn=admin,dc=example,dc=com" write
>> by set="[cn=ldapadmins,ou=groups,dc=example,dc=com]/member* & user" write
>> by users read
>> by * none
>
> trial 1
>
>> olcAccess: to dn.regex="([^,]+,)?o=([^,]+),ou=entities,dc=example,dc=com"
>> by self write
>> by dn="cn=admin,dc=example,dc=com" write
>> by set="[cn=ldapadmins,ou=groups,dc=example,dc=com]/member* & user" write
>> by set.expand="[cn=admin,o=$2,ou=entities,dc=example,dc=com]/member* & user" write
>> by set="this/member* & user" read
>> by * none
>
> The result is, that admin and any member of ldapadminscan edit, the
> members of specific entity admin subgroups cannot edit.
> The specific admin subgroups cannot even see the entities subtree.
Hi Martin,
what is the order of the above two olcAccess statements? If they apply
in the order above, it seems the first one will always apply and
processing will stop there. In that case you either want to add a
"break" in the first one or split/move it to be checked later.
I assume you also know and use the slapacl tool (and loglevel acl) to
test with? Does it show any additional information that might be helpful
in diagnosing the issue?
Regards,
--
Ondřej Kuzník
Senior Software Engineer
Symas Corporation http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP