I have a followup requirement where I need to be able to restrict read
access to the groups as well as write access. I only want the owners of an
object to be able to read and write that object.
The reason for wanting to do this is to ensure that a user only sees the
groups that they can edit when they are using LDAP Account Manager. We have
quite a large number of groups and I am trying to head off users
complaining that they can't find the group they need to edit.
I've been experimenting with the ACLs to try to get it to work but I can
only get it to work if the owner is explicitly mentioned, rather than
indirectly mentioned as per the "member of a group" approach.
The ACLs so far are:
access to dn.one="dc=example,dc=com"
by users read
by * none
access to dn.one="ou=groups,dc=example,dc=com"
by users read
by * none
access to dn.sub="ou=groups,dc=example,dc=com"
attrs=objectClass,uniqueMember
by users read
by * none
access to dn.sub="ou=groups,dc=example,dc=com"
by dnattr="owner" write
by users none
by * none
access to dn.sub="ou=groups,dc=example,dc=com"
by set="this/owner/uniqueMember & user" write
by users none
by * none
(I know that having 'by users none' is redundant but it is there to be
explicit)
The purpose of the ACLs is
1. Allow everyone to see the OU structure in the domain.
2. Allow everyone to see the OUs within the groups OU.
3. The intention here is to grant enough access to the attributes of a
group so that slapd can then evaluate the uniqueMember attribute. It isn't
entirely clear to me whether slapd needs a rule like this or should be able
to evaluate membership etc before it applies acls for the user.
4. Allow directly mentioned owners to write, nothing to everyone else.
5. Allow indirectly mentioned owners to write, nothing to everyone else.
Thanks for any suggestions/observations.
Philip
On 30 January 2013 08:00, Andrew Findlay <[email protected]>wrote:
> On Thu, Jan 24, 2013 at 12:22:18PM +0000, Philip Colmer wrote:
>
> > What I want/need to be able to do is for LDAP to read the DN of the
> group that
> > has permission, in the same what that it does with dnattr. I thought
> that I had
> > read something about this being possible with sets, but slapd.access
> says that
> > "The statement set=<pattern> is undocumented yet." so I'm not clear if
> that is
> > the most appropriate way to proceed.
> >
> >
> > Can someone please advise on how this might be accomplished?
>
> Sets are indeed the answer. The documentation only exists in
> the OpenLDAP FAQ-o-matic at present, but you need something
> like this:
>
> access to dn.sub="ou=groups,dc=example,dc=com"
> by set="this/manager/member & user" write
> by users read
> by * none
>
> That ACL would give write access to members of any group whose
> DN is listed in the "manager" attribute.
>
> The basic idea is that "this/manager/member" produces a set of DNs,
> "user" produces a set containing the DN of the bound user,
> and "&" generates the intersection of the two sets.
> If the result is a non-empty set then the "by" clause applies.
>
> Andrew
> --
> -----------------------------------------------------------------------
> | From Andrew Findlay, Skills 1st Ltd |
> | Consultant in large-scale systems, networks, and directory services |
> | http://www.skills-1st.co.uk/ +44 1628 782565 |
> -----------------------------------------------------------------------
>
