[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
never mind - messy ACL problem solved
- To: openldap-software@OpenLDAP.org
- Subject: never mind - messy ACL problem solved
- From: "Kyle F. Downey" <kdowney@amberarcher.com>
- Date: Fri, 23 Mar 2001 16:51:22 -0500
- Organization: Amber Archer Consulting Co., Inc.
- User-agent: Mozilla/5.0 (X11; U; Linux 2.4.2 i686; en-US; 0.8) Gecko/20010217
1) I was ordering the rules for directory manager incorrectly, so the
ACL code was apply the
"read" rule that came before and bailing after first match
2) I forgot a "by * none" to deny access to that subset to everyone else
Making those two fixes got to working with the clients only able to see
the top of the tree--
an "org" in my case. The addition of a rule just matching the first "dc"
fixed this.
Kurt et. al, thanks for a great product.
--kd
# by default, no access
defaultaccess none
# anyone can edit their own password
access to attr=userpassword
by self write
by * none
# anyone logged in can read information in the
# Amber Archer tree (eventually we'll have to
# restrict some attributes)
access to dn="ou=People,dc=amberarcher,dc=com"
by dn=".+" read
by * none
# client Directory Managers can edit anything under their
# tree, and client users can read any entry in their company
access to dn="dc=([^,]+),dc=([^,]+),ou=Clients,dc=amberarcher,dc=com"
by self write
by dn="cn=Directory
Manager,dc=$1,dc=$2,ou=Clients,dc=amberarcher,dc=com" write
by dn="cn=[^,]+,dc=$1,dc=$2,ou=Clients,dc=amberarcher,dc=com" read
by * none
access to dn="dc=([^,]+),ou=Clients,dc=amberarcher,dc=com"
by dn=".*,dc=$1,ou=Clients,dc=amberarcher,dc=com" read
by * none
access to dn="ou=Clients,dc=amberarcher,dc=com"
by dn=".+" read