I just finished banging out the following ACL by closely watching the debug output and tweaking when I found denies that correlated to mis-behaviour by the tool "gc": #access to * # by * read # Need to provide access to the Root DSE and Subschema # (gq uses them for example) access to dn.base="" by users read access to dn.base="cn=Subschema" by users read #access to filter="(objectClass=*)" # by users read # by * search access to dn.base="dc=example,dc=com" attr=objectClass by users search access to dn.base="ou=People,dc=example,dc=com" attr=objectClass,entry by users read access to dn="ou=Contacts,ou=People,dc=example,dc=com$" by dn.base="uid=ContactsAdmin,ou=People,dc=example,dc=com" write by users read # Allow anyone to try to authorize and owners and the Manager to write access to dn="^uid=[^,]+,ou=People,dc=example,dc=com$" attr=userPassword by dn="cn=Manager,dc=example,dc=com" write by self write by * auth # users have full access to their entire subtree # (DO NOT enable access to their entry or they could change, for example, # their uid/gid) access to dn=".+,uid=([^,]+),ou=People,dc=example,dc=com$" by dn="^uid=$1,ou=People,dc=example,dc=com$" write # not needed (yet) #access to dn=".*,dc=example,dc=com" attr=mail # by dn="cn=Manager,dc=example,dc=com" write # by self write # by users read ## Manager can write to all #access to dn=".*,dc=example,dc=com" # by dn="cn=Manager,dc=example,dc=com" write # by * none # Nothing else! access to * by * none The goal is to give read access to "ou=Contacts,ou=People..." to everyone, but allow "uid=ContactsAdmin,ou=People..." to edit contact information in that tree. Also, users (under ou=People...) should have write access to everything under their "uid" entry, but not their entry (lest they change things like uid/gid etc.) Everything else should be no access to anyone (except the rootdn of course). Is there anything above that I am missing/got wrong, or you would do differently? b. -- My other computer is your Microsoft Windows server. Brian J. Murrell
Attachment:
signature.asc
Description: This is a digitally signed message part