Macro ACLs / isMemberOf
We have a data privacy business requirement I am trying to achieve using ACLs. We have an external Partner who should only have read access to few users, all the targeted users are in one group lets say group1. These users don't have any common attribute values in their entries so I can't use Targetfilter. The application account Partner is using is lets say "cn=testmacroacls,ou=nonpeople,o=example.com". I need to provide read access for "cn=testmacroacls" for all the users in the group "group1". Do you know how to achieve this with ACLs. I think it may be easy in DS 6.0 using "isMemberOf" in "Targetfilter" but I need this now in DS 5.2.
I am not sure I can achieve this using Macro ACLs but I gave it a try that didn't work.
aci: target="ldap:///($dn)")(targetattr="cn||sn||givenname||mail")(targetfilter ="(&(cn=group1)(uniquemember=($dn)))")(version 3.0;acl "Allow read ccess to group of users"; allow(compare,read,search) userdn = "ldap:///cn=testmacroacls,ou=nonpeople,o=example.com"; )
OR
aci: (target="ldap:///($dn)")(targetattr="cn||sn||givenname||mail")(targetfilter ="(&(cn=group1)(uniquemember=[$dn],o=example.com))")(version 3.0;acl "Allow read access to group of users"; allow(compare,read,search) userdn = "ldap:///cn=testmacroacls,ou=nonpeople,o=example.com"
; )
[1334 byte] By [
kusupudia] at [2007-11-26 16:59:21]
# 2
> I afraid you can do this with Roles but not with groups with DS 5.2.
Thanks Ludovic. Our current provisioning and access control is based on groups.
> Or with DS 6.0 and the isMemberOf attribute.
isMemberOf is going to be useful in several areas, this is one of them. Some of the ldap enabled applications can't make an extra search to get groups, etc. Some do an extra search on groups such as weblogic, webspeher but some reason they request all the attributes in the group and if the group has several thousand members they get memory errors. I am personally tired :-) of making an extra search for groups from last 10 years. Do you guys planning to provide this back links feature to other DN syntax attributes also such as manager, owner etc.
On a different topic on indirect COS, do you have any plans to provide mapping on to different attribute. For example we have a requirement to show manager's email and manager's cn etc in users record. Currently with COS you can only inherit any attribute from his/her manager with same attribute name (mail->mail) but not (mail->managersmail).
Thanks again for your time for helping us.
krishna
>
> Ludovic.
# 3
Krishna,
There is no plan to provide a generic service of backlinks for all attributes with a DN syntax (such as manager and owner).
May be if you could describe what kind of service you are expecting, detail how you would want to use it, we will see the benefits and see if they are higher than the costs.
With regards to the indirect CoS question, I believe that there is an RFE open on this subject, but we do not have the resources to address it in the next release.
Regards,
Ludovic
# 4
Hi
Some possible ways:
1.
To make your acis correct:
Have not tried your aci, but your example is faulty... You must use groupdn and not userdn for cn=testmacroacls,ou=nonpeople,o=example.com.
2.
I your tested aci wont work when corrected... Make your application writing to LDAP add cross reference attributes. On the group a "uniquemember" and on the user "memberof" attribute and filter on memberof.
3.
If the application cannot easily add cross reference attributes... write an ldap plugin that will add the cross reference. Also enable the "reference interity plugin". This is probably not much work...
