Anthony Messina
2009-Jul-25 19:17 UTC
[389-users] ACI Confusion (New to 389 Came from OL):
Hello, firstly, thanks for 389! I have just migrated my small domain from OL
to 389 DS including some basic replication and have found it to be a solid,
reliable and quick system.
I am however having a lot of confusion with ACIs. I am trying to create ACIs
with the same specificity that I had with OL and eGroupWare
(http://egroupware.org), but can''t seem to get one of them figured out.
This is what I''m trying to accomplish (in OL format):
access to
dn.regex="^ou=personal,ou=contacts,ou=([^,]+),o=eGroupWare,dc=messinet,dc=com$"
attrs=children
by dn.exact="uid=egwadmin,o=eGroupWare,dc=messinet,dc=com"
write
by * none
access to
dn.regex="^cn=([^,]+),ou=personal,ou=contacts,ou=([^,]+),o=eGroupWare,dc=messinet,dc=com$"
attrs=entry
by dn.exact="uid=egwadmin,o=eGroupWare,dc=messinet,dc=com"
write
by
dn.exact,expand="uid=$1,ou=accounts,ou=$2,o=eGroupWare,dc=messinet,dc=com"
read
by * none
access to
dn.regex="cn=([^,]+),ou=personal,ou=contacts,ou=([^,]+),o=eGroupWare,dc=messinet,dc=com$"
by dn.exact="uid=egwadmin,o=eGroupWare,dc=messinet,dc=com"
write
by
dn.exact,expand="uid=$1,ou=accounts,ou=$2,o=eGroupWare,dc=messinet,dc=com"
write
by * none
I have tried using the following in 389 DS to no avail.
On the ou=messinet.com,ou=eGW,dc=messinet,dc=com entry...
(targetattr = "*") (target =
"ldap:///cn=($dn),ou=personal,ou=contacts,ou=messinet.com,ou=eGW,dc=messinet,dc=com")
(version 3.0;acl "eGW personal addressbook access";allow
(read,compare,search,write,delete,add)(userdn =
"ldap:///uid=($dn),ou=accounts,ou=messinet.com,ou=eGW,dc=messinet,dc=com");)
I need to have the uid of the binding user be matched to the cn of the tree
root for personal contacts.
How would I allow access by the bind user of:
"uid=example_user,ou=accounts,ou=messinet.com,ou=eGW,dc=messinet,dc=com"
to the entry and subentries of:
cn=example_user,ou=personal,ou=contacts,ou=messinet.com,ou=eGW,dc=messinet,dc=com"
References to the suggested ACLs (for OL) are here:
http://svn.egroupware.org/egroupware/trunk/addressbook/doc/README
http://svn.egroupware.org/egroupware/trunk/addressbook/doc/acl_addressbook.conf
http://svn.egroupware.org/egroupware/trunk/phpgwapi/doc/ldap/acl_egw_addressbook.conf
Thank you very much in advance for your assistance.
--
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
John A. Sullivan III
2009-Jul-25 20:54 UTC
Re: [389-users] ACI Confusion (New to 389 Came from OL):
On Sat, 2009-07-25 at 14:17 -0500, Anthony Messina wrote:> Hello, firstly, thanks for 389! I have just migrated my small domain from OL > to 389 DS including some basic replication and have found it to be a solid, > reliable and quick system. > > I am however having a lot of confusion with ACIs. I am trying to create ACIs > with the same specificity that I had with OL and eGroupWare > (http://egroupware.org), but can''t seem to get one of them figured out. > > This is what I''m trying to accomplish (in OL format): > access to > dn.regex="^ou=personal,ou=contacts,ou=([^,]+),o=eGroupWare,dc=messinet,dc=com$" > attrs=children > by dn.exact="uid=egwadmin,o=eGroupWare,dc=messinet,dc=com" write > by * none > > access to > dn.regex="^cn=([^,]+),ou=personal,ou=contacts,ou=([^,]+),o=eGroupWare,dc=messinet,dc=com$" > attrs=entry > by dn.exact="uid=egwadmin,o=eGroupWare,dc=messinet,dc=com" write > by > dn.exact,expand="uid=$1,ou=accounts,ou=$2,o=eGroupWare,dc=messinet,dc=com" > read > by * none > > access to > dn.regex="cn=([^,]+),ou=personal,ou=contacts,ou=([^,]+),o=eGroupWare,dc=messinet,dc=com$" > by dn.exact="uid=egwadmin,o=eGroupWare,dc=messinet,dc=com" write > by > dn.exact,expand="uid=$1,ou=accounts,ou=$2,o=eGroupWare,dc=messinet,dc=com" > write > by * none > > I have tried using the following in 389 DS to no avail. > On the ou=messinet.com,ou=eGW,dc=messinet,dc=com entry... > > (targetattr = "*") (target = > "ldap:///cn=($dn),ou=personal,ou=contacts,ou=messinet.com,ou=eGW,dc=messinet,dc=com") > (version 3.0;acl "eGW personal addressbook access";allow > (read,compare,search,write,delete,add)(userdn = > "ldap:///uid=($dn),ou=accounts,ou=messinet.com,ou=eGW,dc=messinet,dc=com");) > > I need to have the uid of the binding user be matched to the cn of the tree > root for personal contacts. > > How would I allow access by the bind user of: > "uid=example_user,ou=accounts,ou=messinet.com,ou=eGW,dc=messinet,dc=com" > to the entry and subentries of: > cn=example_user,ou=personal,ou=contacts,ou=messinet.com,ou=eGW,dc=messinet,dc=com" > > References to the suggested ACLs (for OL) are here: > http://svn.egroupware.org/egroupware/trunk/addressbook/doc/README > http://svn.egroupware.org/egroupware/trunk/addressbook/doc/acl_addressbook.conf > http://svn.egroupware.org/egroupware/trunk/phpgwapi/doc/ldap/acl_egw_addressbook.conf<snip> Hmm . . . I''ve never used an ACI swapping attributes as your are (CN for UID) but I would think it should work. Out of curiosity, if you set the user''s CN = UID and then rewrite the ACI to be ldap://($dn),....., does it work? I''m eager to see what more knowledgeable folks have to say. Good luck - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society
Anthony Messina
2009-Jul-25 22:00 UTC
Re: [389-users] ACI Confusion (New to 389 Came from OL):
On Saturday 25 July 2009 03:54:57 pm John A. Sullivan III wrote:> Hmm . . . I''ve never used an ACI swapping attributes as your are (CN for > UID) but I would think it should work. Out of curiosity, if you set the > user''s CN = UID and then rewrite the ACI to be ldap://($dn),....., does > it work?Thanks for giving a good stab at this, John. I tried just changing the "cn" for a user without changing the dn to read cn=amessina... (currently, eGroupWare expects it to read uid=amessina...) That did not work. Is it to be expected, then, that one is not able to do something like: target = ldap://some_attr=($dn)... userdn = ldap://some_other_attr=($dn)... or userdn = ldap://some_other_attr=[$dn]... ??? In short, does the ($dn) macro in the target HAVE TO match the whole portion between the commas, like "uid=amessina" rather than just "amessina": Can it do: target = ldap://cn=($dn),ou=.... or must it be: target = ldap://($dn),ou=...> I''m eager to see what more knowledgeable folks have to say. Good luck - > JohnI''m thinking that I''ll be using the ($attr) or userattr methods, but I''m not sure how as the access is based on the tree structure, rather than attributes of subcomponent entried: +-ou=messinet.com,ou=egw,dc=messinet,dc=com | | | +-ou=accounts | | +-uid=amessina | | +-uid=... | | | +-ou=groups | | +-cn=Default | | +-cn=... | | | +ou=contacts | | | +-ou=shared | | +-cn=default | | +-cn=... | | | +-ou=personal | +-cn=amessina | +-cn=... -- Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
John A. Sullivan III
2009-Jul-25 23:17 UTC
Re: [389-users] ACI Confusion (New to 389 Came from OL):
On Sat, 2009-07-25 at 17:00 -0500, Anthony Messina wrote:> On Saturday 25 July 2009 03:54:57 pm John A. Sullivan III wrote: > > Hmm . . . I''ve never used an ACI swapping attributes as your are (CN for > > UID) but I would think it should work. Out of curiosity, if you set the > > user''s CN = UID and then rewrite the ACI to be ldap://($dn),....., does > > it work? > > Thanks for giving a good stab at this, John. I tried just changing the "cn" > for a user without changing the dn to read cn=amessina... (currently, > eGroupWare expects it to read uid=amessina...) That did not work. > > Is it to be expected, then, that one is not able to do something like: > > target = ldap://some_attr=($dn)... > > userdn = ldap://some_other_attr=($dn)... or > userdn = ldap://some_other_attr=[$dn]... > ??? > > In short, does the ($dn) macro in the target HAVE TO match the whole portion > between the commas, like "uid=amessina" rather than just "amessina": > > Can it do: > target = ldap://cn=($dn),ou=.... > or must it be: > target = ldap://($dn),ou=... ><snip> As I mentioned, I''ve never tried it using just the value and swapping attributes. I would expect it would work. We have used variable substitution very successfully in some quite complex ACIs. (target = "ldap:///($dn),o=internal,dc=ssiservices,dc=biz")(targetattr ! = "sambaLMPassword || sambaNTPassword || userPassword") (version 3.0;acl "Client Internal Directory Searcher";allow (read,compare,search)(userdn = "ldap:///uid=*dsearcher, [$dn],o=sysaccounts,dc=ssiservices,dc=biz");) I would have thought what you were doing would work just as you described. The biggest problem we have faced is not being able to use wildcards in groupdn although we can in userdn. I can say that using the complete attribute does work as advertised. Hopefully the gurus will return to the list soon! I''d like to know why what you have proposed doesn''t work. Good luck - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society
Anthony Messina
2009-Jul-26 05:00 UTC
Re: [389-users] ACI Confusion (New to 389 Came from OL):
On Saturday 25 July 2009 06:17:27 pm John A. Sullivan III wrote:> As I mentioned, I''ve never tried it using just the value and swapping > attributes. I would expect it would work. We have used variable > substitution very successfully in some quite complex ACIs. > > (target = "ldap:///($dn),o=internal,dc=ssiservices,dc=biz")(targetattr ! > = "sambaLMPassword || sambaNTPassword || userPassword") (version 3.0;acl > "Client Internal Directory Searcher";allow (read,compare,search)(userdn > = "ldap:///uid=*dsearcher, [$dn],o=sysaccounts,dc=ssiservices,dc=biz");) > > I would have thought what you were doing would work just as you > described. The biggest problem we have faced is not being able to use > wildcards in groupdn although we can in userdn. > > I can say that using the complete attribute does work as advertised. > Hopefully the gurus will return to the list soon! I''d like to know why > what you have proposed doesn''t work. Good luck - John<more snippage> I have gotten much closer. I think I''ll need to tighten them up a bit (parents/children/etc), but here''s where I got so far... http://messinet.com/trac/egw/browser/README.389DS Thanks for your help. If you think of anything else, let me know. I surely wouldn''t call this solved. -A -- Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E