[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL's and madness
Can you post the version with the parentheses.
Ziya.
On 2003-02-19 19:47:12 +0000, Tom Possin wrote:
> I am currently working on a web app using ldap and while encouraged
> initially I am approaching madness now regarding what seems like a
> simple problem.
>
> I would like to give authenticated users(see 2nd ACL below) the ability
> to create and edit all the entries below theirs. While concealing them
> from everyone else except root. (In my darker moments I am actually
> having trouble understanding why this is not default behavior for a
> directory server but that is another story) The FAQ's give the example
> below along with some extraneous parentheses. As listed below it seems
> to allow everyone including anonymous to write to these records. If you
> move the "by anonymous auth" up above the "by dn="$1" write" line it
> excludes anonymous but allows any authenticated user to edit. And
> preventing reading selectively seems out of the question. I have tried
> many scenarios here as well. I am not however very good at regex and
> maybe this is the answer I don't know. Nothing I have tried has worked
> yet. I have RTM. and the FAQ and googled, I have spent probably 6 hours
> or so on this one problem and I am out of good ideas.
>
> This is my entire current ACL so far. Does anyone with more experience
> here see the problem or have a better solution to my problem? My guess
> is, I have made some bonehead mistake that I am blind to.
>
> Thanks again
>
> access to attr=userPassword
> by self write
> by anonymous auth
> by dn="cn=manager,dc=home,dc=com" write
> by * none
> #authenticated users can create and modify private child entries(theory)
> access to dn=".*,uid=.*,ou=users,ou=People,dc=home,dc=com"
> by dn="$1" write
> by anonymous auth
> #group access (works)
> access to dn="ou=contacts,ou=People,dc=home,dc=com"
> by group="cn=listkeepers,ou=group,dc=home,dc=com" write
> by * auth
> access to dn.children="ou=contacts,ou=People,dc=home,dc=com"
> by self write
> by group="cn=listkeepers,ou=group,dc=home,dc=com" write
> by * auth
> access to *
> by self write
> by dn="cn=manager,dc=home,dc=com" write
> by * read
> --
> Tom
> ***********************************************
> A computer once beat me at chess...
> But, as it turns out, it was no match for me at kick boxing.