DOKK / manpages / debian 13 / krb5-wallet-server / Wallet::ACL::LDAP::Attribute.3pm.en
Wallet::ACL::LDAP::Attribute(3pm) User Contributed Perl Documentation Wallet::ACL::LDAP::Attribute(3pm)

Wallet::ACL::LDAP::Attribute - Wallet ACL verifier for LDAP attribute compares

    my $verifier = Wallet::ACL::LDAP::Attribute->new;
    my $status = $verifier->check ($principal, "$attr=$value");
    if (not defined $status) {
        die "Something failed: ", $verifier->error, "\n";
    } elsif ($status) {
        print "Access granted\n";
    } else {
        print "Access denied\n";
    }

Wallet::ACL::LDAP::Attribute checks whether the LDAP record for the entry corresponding to a principal contains an attribute with a particular value. It is used to verify ACL lines of type "ldap-attr". The value of such an ACL is a valid LDAP filter, and the ACL grants access to a given principal if and only if an LDAP search using a filter constructed of the principal filter AND the ACL filter returns a single entry.

To use this object, several configuration parameters must be set. See Wallet::Config for details on those configuration parameters and information about how to set wallet configuration.

Creates a new ACL verifier. Opens and binds the connection to the LDAP server.
Returns true if PRINCIPAL is granted access according to ACL, false if not, and undef on an error (see "DIAGNOSTICS" below). ACL must be a valid LDAP filter. The filter formed using the PRINCIPAL and the ACL filter must return a single entry for access to be granted.
Returns the error if check() returned undef.

The new() method may fail with one of the following exceptions:

Attempting to connect or bind to the LDAP server failed.
The required configuration parameters were not set. See Wallet::Config(3) for the required configuration parameters and how to set them.

Verifying an LDAP attribute ACL may fail with the following errors (returned by the error() method):

The search for an ldap entry failed because of a configuration error in Wallet or the LDAP server. For example the Wallet configuration includes an invalid root DN.
The ACL filter stored as ldap-attr is not a valid LDAP filter.
The ACL filter stored as ldap-attr is not a valid LDAP filter.
There was an ldap_map_principal() function defined in the wallet configuration, but calling it for the PRINCIPAL argument failed.
The ACL parameter to check() was undefined or the empty string.
The PRINCIPAL parameter to check() was undefined or the empty string.

Wallet::ACL(3), Wallet::ACL::Base(3), Wallet::Config(3), wallet-backend(8)

This module is part of the wallet system. The current version is available from <https://www.eyrie.org/~eagle/software/wallet/>.

Russ Allbery <eagle@eyrie.org>

2024-11-12 perl v5.40.0