[Date Prev][Date Next] [Chronological] [Thread] [Top]

never mind - messy ACL problem solved



1) I was ordering the rules for directory manager incorrectly, so the ACL code was apply the
"read" rule that came before and bailing after first match
2) I forgot a "by * none" to deny access to that subset to everyone else


Making those two fixes got to working with the clients only able to see the top of the tree--
an "org" in my case. The addition of a rule just matching the first "dc" fixed this.


Kurt et. al, thanks for a great product.

--kd


# by default, no access defaultaccess none

# anyone can edit their own password
access to attr=userpassword
      by self write
      by * none

# anyone logged in can read information in the
# Amber Archer tree (eventually we'll have to
# restrict some attributes)
access to dn="ou=People,dc=amberarcher,dc=com"
      by dn=".+" read
      by * none

# client Directory Managers can edit anything under their
# tree, and client users can read any entry in their company

access to dn="dc=([^,]+),dc=([^,]+),ou=Clients,dc=amberarcher,dc=com"
by self write
by dn="cn=Directory Manager,dc=$1,dc=$2,ou=Clients,dc=amberarcher,dc=com" write
by dn="cn=[^,]+,dc=$1,dc=$2,ou=Clients,dc=amberarcher,dc=com" read
by * none


access to dn="dc=([^,]+),ou=Clients,dc=amberarcher,dc=com"
      by dn=".*,dc=$1,ou=Clients,dc=amberarcher,dc=com" read
      by * none

access to dn="ou=Clients,dc=amberarcher,dc=com"
      by dn=".+" read