[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: LDAP Access Control
Tony Earnshaw wrote:
>> I would be surprised if
>
>> > cn=App1,cn=Torgeir,ou=people,ou=groups,dc=billy,dc=demon,dc=nl
>> >
>> > access to
>> > dn=".*,cn=(.*),ou=people,ou=groups,dc=billy,dc=demon,dc=nl"
>> > attrs=entry,children
>> > by anonymous auth
>> > by dn="cn=Admin,dc=billy,dc=demon,dc=nl" write
>> > by dn="cn=$1,ou=people,ou=groups,dc=billy,dc=demon,dc=nl"
>> > write
>
>> would allow cn=(.*),ou=people,ou=groups,dc=billy,dc=demon,dc=nl
>> to be managed with this rule !
>
> Life is full of surprises, Ace! But that is, in fact, exactly what
> happens. Try it for yourself.
I don't think so either. Taking the Example, the above rule will just
give access to
dn=".*,cn=Torgeir,ou=people,ou=groups,dc=billy,dc=demon,dc=nl"
which does _not_ include
dn="cn=Torgeir,ou=people,ou=groups,dc=billy,dc=demon,dc=nl"
Correctly, the ACL could be written as
access to
dn=".*cn=([^,]+),ou=people,ou=groups,dc=billy,dc=demon,dc=nl"
by dn="cn=$1,ou=people,ou=groups,dc=billy,dc=demon,dc=nl" write
I think. (untested)
Or, but this is just a thought, may not work, and is untested too:
access to
dn="cn=([^,]+),ou=people,ou=groups,dc=billy,dc=demon,dc=nl"
attrs=entry,children
by self write
> I *do* have a user
> cn=Billy,ou=people,ou=groups,dc=billy,dc=demon,dc=nl, and he can't
> touch what Torgeir has in his tree. Neither can I. But Torgeir can.
But can Torgeir change his/her/its own data?
Don't get me wrong, i believe, that you are experiencing the effect you
describe, but i think it's due to another ACL line in your slapd.conf,
or smth. like that.
curious,
daniel
--
... when men were men
and wrote their own device drivers ...
-- Linus Benedict Torvalds