[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL's and madness



I am currently working on a web app using ldap and while encouraged
initially I am approaching madness now regarding what seems like a
simple problem.

I would like to give authenticated users(see 2nd ACL below) the ability
to create and edit all the entries below theirs. While concealing them
from everyone else except root. (In my darker moments I am actually
having trouble understanding why this is not default behavior for a
directory server but that is another story) The FAQ's give the example
below along with some extraneous parentheses. As listed below it seems
to allow everyone including anonymous to write to these records. If you
move the "by anonymous auth" up above the "by dn="$1" write" line it
excludes anonymous but allows any authenticated user to edit. And
preventing reading selectively seems out of the question. I have tried
many scenarios here as well. I am not however very good at regex and
maybe this is the answer I don't know. Nothing I have tried has worked
yet. I have RTM. and the FAQ and googled, I have spent probably 6 hours
or so on this one problem and I am out of good ideas.

This is my entire current ACL so far. Does anyone with more experience
here see the problem or have a better solution to my problem? My guess
is, I have made some bonehead mistake that I am blind to.

Thanks again  

access to attr=userPassword
	by self write
	by anonymous auth
	by dn="cn=manager,dc=home,dc=com"	write
	by * none
#authenticated users can create and modify private child entries(theory)
access to dn=".*,uid=.*,ou=users,ou=People,dc=home,dc=com"
	by dn="$1" write
	by anonymous auth
#group access (works)
access to dn="ou=contacts,ou=People,dc=home,dc=com"
	by group="cn=listkeepers,ou=group,dc=home,dc=com" write
	by * auth
access to dn.children="ou=contacts,ou=People,dc=home,dc=com"
	by self write
	by group="cn=listkeepers,ou=group,dc=home,dc=com" write
	by * auth
access to *
	by self write
	by dn="cn=manager,dc=home,dc=com"	write
	by * read
-- 
Tom
***********************************************
A computer once beat me at chess...
But, as it turns out, it was no match for me at kick boxing.