Provided by: krb5-wallet-server_1.5-1.1_all bug

NAME
       Wallet::ACL::LDAP::Attribute - Wallet ACL verifier for LDAP attribute compares


SYNOPSIS
           my $verifier = Wallet::ACL::LDAP::Attribute->new;
           my $status = $verifier->check ($principal, "$attr=$value");
           if (not defined $status) {
               die "Something failed: ", $verifier->error, "\n";
           } elsif ($status) {
               print "Access granted\n";
           } else {
               print "Access denied\n";
           }


DESCRIPTION
       Wallet::ACL::LDAP::Attribute checks whether the LDAP record for the entry corresponding to a principal
       contains an attribute with a particular value.  It is used to verify ACL lines of type "ldap-attr".  The
       value of such an ACL is an attribute followed by an equal sign and a value, and the ACL grants access to
       a given principal if and only if the LDAP entry for that principal has that attribute set to that value.

       To use this object, several configuration parameters must be set.  See Wallet::Config for details on
       those configuration parameters and information about how to set wallet configuration.


METHODS
       new()
           Creates a new ACL verifier.  Opens and binds the connection to the LDAP server.

       check(PRINCIPAL, ACL)
           Returns  true  if  PRINCIPAL  is granted access according to ACL, false if not, and undef on an error
           (see "DIAGNOSTICS" below).  ACL must be an attribute name and a value, separated  by  an  equal  sign
           (with  no  whitespace).   PRINCIPAL  will be granted access if its LDAP entry contains that attribute
           with that value.

       error()
           Returns the error if check() returned undef.


DIAGNOSTICS
       The new() method may fail with one of the following exceptions:

       LDAP attribute ACL support not available: %s
           Attempting to connect or bind to the LDAP server failed.

       LDAP attribute ACL support not configured
           The required  configuration  parameters  were  not  set.   See  Wallet::Config(3)  for  the  required
           configuration parameters and how to set them.

       Verifying an LDAP attribute ACL may fail with the following errors (returned by the error() method):

       cannot check LDAP attribute %s for %s: %s
           The LDAP compare to check for the required attribute failed.  The attribute may have been misspelled,
           or  there  may  be LDAP directory permission issues.  This error indicates that PRINCIPAL's entry was
           located in LDAP, but the check failed during the compare to verify the attribute value.

       cannot search for %s in LDAP: %s
           Searching for PRINCIPAL (possibly after ldap_map_principal() mapping) failed.  This is often  due  to
           LDAP  directory  permissions  issues.  This indicates a failure during the mapping of PRINCIPAL to an
           LDAP DN.

       malformed ldap-attr ACL
           The ACL parameter to check() was malformed.  Usually this means that  either  the  attribute  or  the
           value were empty or the required "=" sign separating them was missing.

       mapping principal to LDAP failed: %s
           There  was  an  ldap_map_principal() function defined in the wallet configuration, but calling it for
           the PRINCIPAL argument failed.

       no principal specified
           The PRINCIPAL parameter to check() was undefined or the empty string.


SEE ALSO
       Wallet::ACL(3), Wallet::ACL::Base(3), Wallet::Config(3), wallet-backend(8)

       This  module   is   part   of   the   wallet   system.    The   current   version   is   available   from
       <https://www.eyrie.org/~eagle/software/wallet/>.


AUTHOR
       Russ Allbery <eagle@eyrie.org>

perl v5.38.2                                       2024-08-01                  Wallet::ACL::LDAP::Attribute(3pm)