JumpCloud Office Hours: Join our experts every Friday to talk shop. Register today

ACL ‘Set’ Functionality to control Access based on Attributes



In my OpenLDAP directory I have a use case where I want a set of users to have special access rights. I want them to be able to read their peers’ information.

This could be done using a special group pretty simply, using a rule like

access to dn.exact="ou=Users,dc=jumpcloud,dc=com" by group.exact="cn=Administrators,dc=jumpcloud,dc=com" read

This is the classic “access to what by who”, which you can see more of in the OpenLDAP Access Control documentation. (A small quibble, shouldn’t it be “whom”?). This rule would let anyone in the Administrators group have read access to entries under the dc=jumpcloud,dc=com DN.

(Note that it only works for groups of type objectClass: groupOfNames. If the group is instead objectClass: posixGroup this doesn’t work.)

In our particular scenario, however, having a group control the access isn’t going to work for us. Instead, I want to grant access based on one of the user’s attributes.

This is where the ‘experimental’ concept of sets come in with our ACLs. Using a set we can specify that so long as my user has the attribute ‘employeeType’ with value ‘ldapAdmin’ that he read other users’ values.

access to dn.children="ou=Users,dc=jumpcloud,dc=com” by set="user/employeeType & [ldapAdmin]" read

Note that the “[“ and “]” around “ldapAdmin” are important — they cause it to be evaluated as exact text, instead of an attribute.

Now a user with that attribute can read anyone else under the Users DN.

However, since my directory is structured into separate organizations, this user should only have access rights to read into other users within the same organization. To make this work I’m going to use regex and the ‘expand’ clause to lock them into their same organization.

to dn.regex="ou=Users,o=([^,]+),dc=jumpcloud,dc=com" by set.expand="(user/employeeType + [,] + user/-1) & ([ldapAdmin,ou=Users,o=$1,dc=jumpcloud,dc=com])" read

Now I’m capturing the user’s organization, and I’m only granting access to users that are in the same organization.


This ‘set’ functionality in LDAP ACLs is very powerful and handy. I look forward to playing with it more in the future.


Recent Posts
The MDM Custom Configuration Profile policy gives admins new device management controls that they can use fit to their organizations’ needs.

Blog

Deploying Custom Configuration Profiles to MDM-Enrolled macOS Systems using a JumpCloud Policy

The MDM Custom Configuration Profile policy gives admins new device management controls that they can use fit to their organizations’ needs.

OpenLDAP and Apache Directory Server are both popular solutions — but another alternative is cloud-hosted LDAP. Try JumpCloud free today.

Blog

Apache Directory Server vs. OpenLDAP

OpenLDAP and Apache Directory Server are both popular solutions — but another alternative is cloud-hosted LDAP. Try JumpCloud free today.

See all of the new features and updates available in Directory-as-a-Service in the July '20 edition of the JumpCloud Newsletter.

Blog

July ’20 Newsletter

See all of the new features and updates available in Directory-as-a-Service in the July '20 edition of the JumpCloud Newsletter.