Enhancement #2757

Flexible "what" clause in enforceAccessDirective()

Added by Davide Principi about 7 years ago. Updated about 7 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-directory
Target version:v6.5
Resolution: NEEDINFO:No

Description

In NethServer::Directory Perl module, the enforceAccessDirective() method allows setting ACL per attribute (attrs= form) or on everything (*).

From slapd.access manual:

    dn[.<dnstyle>]=<dnpattern>
    filter=<ldapfilter>
    attrs=<attrlist>[ val[/matchingRule][.<attrstyle>]=<attrval>]

Allow also dn and filter forms.

Associated revisions

Revision 9e18e225
Added by Davide Principi about 7 years ago

NethServer::Directory (enforceAccessDirective): $field argument is now a full WHAT clause. Refs #2757

The old $field argument is now interpreted as a full WHAT clause. Only
the presence of an equal sign (=) triggers the old behaviour: "attrs="
is prepended.

Refer to slapd.access documentation for WHAT clause syntax.

Revision a715ad97
Added by Davide Principi about 7 years ago

Fix previous commit if WHAT is "*". Refs #2757

Revision c5832af6
Added by Davide Principi about 7 years ago

Directory (enforceAccessDirective): OLCSUFFIX placeholder. Refs #2757

Some ACLs depends on actual backend olcSuffix attribute. The
placeholder is replaced with the value from the backend dynamically.

History

#1 Updated by Davide Principi about 7 years ago

  • Description updated (diff)

#2 Updated by Davide Principi about 7 years ago

We should change the function on $field parsing

Roughly, if $field contains = is a real WHAT field, as described in the manual and must be inserted literally. Otherwise it's an attrlist and must be prepended with attrs=.

#3 Updated by Davide Principi about 7 years ago

  • Status changed from NEW to TRIAGED
  • % Done changed from 0 to 20

#4 Updated by Davide Principi about 7 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Davide Principi
  • % Done changed from 20 to 30

#5 Updated by Davide Principi about 7 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 30 to 60

Test case

After upgrade, check script exits cleanly:

  # /etc/e-smith/events/actions/nethserver-directory-dit-setup 
  # echo $?
0

And adding a new ACL works:

   # perl -MNethServer::Directory -e '$l = NethServer::Directory->new(); $l->enforceAccessDirective("by anonymous read", "dn.exact=\"ou=Phonebook,dc=directory,dc=nh\"");'
   # ldapsearch -LLL -Y EXTERNAL -b cn=config olcAccess=* olcAccess
[... check directive is reported...]

#6 Updated by Davide Principi about 7 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

In nethserver-testing:
nethserver-directory-2.0.2-9.0gita715ad97.ns6.noarch.rpm

#7 Updated by Davide Principi about 7 years ago

  • Status changed from ON_QA to TRIAGED
  • % Done changed from 70 to 20

#8 Updated by Davide Principi about 7 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Davide Principi
  • % Done changed from 20 to 30

#9 Updated by Davide Principi about 7 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 30 to 60

#10 Updated by Davide Principi about 7 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

In nethserver-testing:
nethserver-directory-2.0.2-10.0gitc5832af6.ns6.noarch.rpm

#11 Updated by Giacomo Sanchietti about 7 years ago

  • Assignee set to Andrea Marchionni

#12 Updated by Andrea Marchionni about 7 years ago

  • Status changed from ON_QA to VERIFIED
  • % Done changed from 70 to 90

Verified: ok

#13 Updated by Giacomo Sanchietti about 7 years ago

  • Assignee deleted (Andrea Marchionni)

#14 Updated by Giacomo Sanchietti about 7 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100
Released in nethserver-updates:
  • nethserver-directory-2.0.3-1.ns6.noarch.rpm

Also available in: Atom PDF