[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL's and madness



Can you post the version with the parentheses.

Ziya.

On 2003-02-19 19:47:12 +0000, Tom Possin wrote:
> I am currently working on a web app using ldap and while encouraged
> initially I am approaching madness now regarding what seems like a
> simple problem.
> 
> I would like to give authenticated users(see 2nd ACL below) the ability
> to create and edit all the entries below theirs. While concealing them
> from everyone else except root. (In my darker moments I am actually
> having trouble understanding why this is not default behavior for a
> directory server but that is another story) The FAQ's give the example
> below along with some extraneous parentheses. As listed below it seems
> to allow everyone including anonymous to write to these records. If you
> move the "by anonymous auth" up above the "by dn="$1" write" line it
> excludes anonymous but allows any authenticated user to edit. And
> preventing reading selectively seems out of the question. I have tried
> many scenarios here as well. I am not however very good at regex and
> maybe this is the answer I don't know. Nothing I have tried has worked
> yet. I have RTM. and the FAQ and googled, I have spent probably 6 hours
> or so on this one problem and I am out of good ideas.
> 
> This is my entire current ACL so far. Does anyone with more experience
> here see the problem or have a better solution to my problem? My guess
> is, I have made some bonehead mistake that I am blind to.
> 
> Thanks again  
> 
> access to attr=userPassword
> 	by self write
> 	by anonymous auth
> 	by dn="cn=manager,dc=home,dc=com"	write
> 	by * none
> #authenticated users can create and modify private child entries(theory)
> access to dn=".*,uid=.*,ou=users,ou=People,dc=home,dc=com"
> 	by dn="$1" write
> 	by anonymous auth
> #group access (works)
> access to dn="ou=contacts,ou=People,dc=home,dc=com"
> 	by group="cn=listkeepers,ou=group,dc=home,dc=com" write
> 	by * auth
> access to dn.children="ou=contacts,ou=People,dc=home,dc=com"
> 	by self write
> 	by group="cn=listkeepers,ou=group,dc=home,dc=com" write
> 	by * auth
> access to *
> 	by self write
> 	by dn="cn=manager,dc=home,dc=com"	write
> 	by * read
> -- 
> Tom
> ***********************************************
> A computer once beat me at chess...
> But, as it turns out, it was no match for me at kick boxing.