Discussion:
ACLs - match FDN to portion of attribute
Sergiy Stepanenko
2010-04-13 16:38:37 UTC
Permalink
Hello everybody,

I am in need of a good advice. I have a problematic spot in my ACL and
so far i can not figure out what to do with it.

This is what needs to be accomplished:

an Entry has attribute uofsGroupRole that may contain values like :
uid=some_user, ou=nsids,ou=people,dc=usask,dc=ca:some_role

only user with matching uid may see this attribute and its value.

I tried :
access to attrs=uofsGroupRole
val.regex="uid=([^,]+),ou=nsids,ou=people,dc=usask,dc=ca.*$"
by dn.regex="uid=$1,ou=nsids,ou=people,dc=usask,dc=ca$" read

And it did not work as required. I know the problem in regex, but I can
not find it.
Any suggestions are greatly appreciated.

Cheers
--
Sergiy Stepanenko
Systems Administrator
Information Technology Services
University of Saskatchewan
-----------------------------------
phone: (306) 966-2762
email:***@usask.ca
Andrew Findlay
2010-04-14 18:35:23 UTC
Permalink
Post by Sergiy Stepanenko
uid=some_user, ou=nsids,ou=people,dc=usask,dc=ca:some_role
only user with matching uid may see this attribute and its value.
access to attrs=uofsGroupRole
val.regex="uid=([^,]+),ou=nsids,ou=people,dc=usask,dc=ca.*$"
by dn.regex="uid=$1,ou=nsids,ou=people,dc=usask,dc=ca$" read
And it did not work as required. I know the problem in regex, but I can not
find it.
The final dollar sign in the 'by' clause needs to be escaped with a
second dollar sign - like this example from the slapd.access manpage:

access to dn.regex="^(.+,)?uid=([^,]+),dc=[^,]+,dc=com$"
by dn.regex="^uid=$2,dc=[^,]+,dc=com$$" write

In your case, you could probably simplify the 'by' clause like this:

access to attrs=uofsGroupRole
val.regex="uid=([^,]+),ou=nsids,ou=people,dc=usask,dc=ca.*$"
by dn.exact,expand="uid=$1,ou=nsids,ou=people,dc=usask,dc=ca" read

Make sure that you have a rule that will deny access to other users.

Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------
Sergiy Stepanenko
2010-04-15 14:41:41 UTC
Permalink
Post by Andrew Findlay
Post by Sergiy Stepanenko
uid=some_user, ou=nsids,ou=people,dc=usask,dc=ca:some_role
only user with matching uid may see this attribute and its value.
access to attrs=uofsGroupRole
val.regex="uid=([^,]+),ou=nsids,ou=people,dc=usask,dc=ca.*$"
by dn.regex="uid=$1,ou=nsids,ou=people,dc=usask,dc=ca$" read
And it did not work as required. I know the problem in regex, but I can not
find it.
The final dollar sign in the 'by' clause needs to be escaped with a
access to dn.regex="^(.+,)?uid=([^,]+),dc=[^,]+,dc=com$"
by dn.regex="^uid=$2,dc=[^,]+,dc=com$$" write
access to attrs=uofsGroupRole
val.regex="uid=([^,]+),ou=nsids,ou=people,dc=usask,dc=ca.*$"
by dn.exact,expand="uid=$1,ou=nsids,ou=people,dc=usask,dc=ca" read
Thank you. I will test it today and will be back with a result. It is a
shame I had not noticed such a thing...
Post by Andrew Findlay
Make sure that you have a rule that will deny access to other users.
Andrew
--
Sergiy Stepanenko
Systems Administrator
Information Technology Services
University of Saskatchewan
-----------------------------------
phone: (306) 966-2762
email:***@usask.ca
Sergiy Stepanenko
2010-04-19 18:12:19 UTC
Permalink
Hi Andrew
I finally figured it out and here is what I did:

ACL
-----
access to attrs=uofsGroupRole val.regex="^([^:]+):.+$"
by dn.exact,expand="${v1}" read
by * none

Only attribute that contains users' dn within its value is available to
said user. It works exactly the way I want it. Only difference from
documentation is "${v1}" which explained here:
http://www.openldap.org/lists/openldap-bugs/200811/msg00078.html if you
are interested...

Thank you for your response,
Cheers
Post by Andrew Findlay
Post by Sergiy Stepanenko
uid=some_user, ou=nsids,ou=people,dc=usask,dc=ca:some_role
only user with matching uid may see this attribute and its value.
access to attrs=uofsGroupRole
val.regex="uid=([^,]+),ou=nsids,ou=people,dc=usask,dc=ca.*$"
by dn.regex="uid=$1,ou=nsids,ou=people,dc=usask,dc=ca$" read
And it did not work as required. I know the problem in regex, but I can not
find it.
The final dollar sign in the 'by' clause needs to be escaped with a
access to dn.regex="^(.+,)?uid=([^,]+),dc=[^,]+,dc=com$"
by dn.regex="^uid=$2,dc=[^,]+,dc=com$$" write
access to attrs=uofsGroupRole
val.regex="uid=([^,]+),ou=nsids,ou=people,dc=usask,dc=ca.*$"
by dn.exact,expand="uid=$1,ou=nsids,ou=people,dc=usask,dc=ca" read
Make sure that you have a rule that will deny access to other users.
Andrew
--
Sergiy Stepanenko
Systems Administrator
Information Technology Services
University of Saskatchewan
-----------------------------------
phone: (306) 966-2762
email:***@usask.ca
m***@aero.polimi.it
2010-04-19 22:04:36 UTC
Permalink
Post by Sergiy Stepanenko
Hi Andrew
ACL
-----
access to attrs=uofsGroupRole val.regex="^([^:]+):.+$"
by dn.exact,expand="${v1}" read
by * none
Only attribute that contains users' dn within its value is available to
said user. It works exactly the way I want it. Only difference from
http://www.openldap.org/lists/openldap-bugs/200811/msg00078.html if you
are interested...
I've documented this feature in slapd.access(5), as part of ITS#5804.

Thanks, p.
Sergiy Stepanenko
2010-04-19 22:33:30 UTC
Permalink
Post by m***@aero.polimi.it
Post by Sergiy Stepanenko
Hi Andrew
ACL
-----
access to attrs=uofsGroupRole val.regex="^([^:]+):.+$"
by dn.exact,expand="${v1}" read
by * none
Only attribute that contains users' dn within its value is available to
said user. It works exactly the way I want it. Only difference from
http://www.openldap.org/lists/openldap-bugs/200811/msg00078.html if you
are interested...
I've documented this feature in slapd.access(5), as part of ITS#5804.
Thanks, p.
My pleasure.
--
Sergiy Stepanenko
Systems Administrator
Information Technology Services
University of Saskatchewan
-----------------------------------
phone: (306) 966-2762
email:***@usask.ca
Loading...