I just finished banging out the following ACL by closely watching the
debug output and tweaking when I found denies that correlated to
mis-behaviour by the tool "gc":
#access to *
# by * read
# Need to provide access to the Root DSE and Subschema
# (gq uses them for example)
access to dn.base=""
by users read
access to dn.base="cn=Subschema"
by users read
#access to filter="(objectClass=*)"
# by users read
# by * search
access to dn.base="dc=example,dc=com" attr=objectClass
by users search
access to dn.base="ou=People,dc=example,dc=com" attr=objectClass,entry
by users read
access to dn="ou=Contacts,ou=People,dc=example,dc=com$"
by dn.base="uid=ContactsAdmin,ou=People,dc=example,dc=com" write
by users read
# Allow anyone to try to authorize and owners and the Manager to write
access to dn="^uid=[^,]+,ou=People,dc=example,dc=com$" attr=userPassword
by dn="cn=Manager,dc=example,dc=com" write
by self write
by * auth
# users have full access to their entire subtree
# (DO NOT enable access to their entry or they could change, for example,
# their uid/gid)
access to dn=".+,uid=([^,]+),ou=People,dc=example,dc=com$"
by dn="^uid=$1,ou=People,dc=example,dc=com$" write
# not needed (yet)
#access to dn=".*,dc=example,dc=com" attr=mail
# by dn="cn=Manager,dc=example,dc=com" write
# by self write
# by users read
## Manager can write to all
#access to dn=".*,dc=example,dc=com"
# by dn="cn=Manager,dc=example,dc=com" write
# by * none
# Nothing else!
access to *
by * none
The goal is to give read access to "ou=Contacts,ou=People..." to
everyone, but allow "uid=ContactsAdmin,ou=People..." to edit contact
information in that tree.
Also, users (under ou=People...) should have write access to everything
under their "uid" entry, but not their entry (lest they change things
like uid/gid etc.)
Everything else should be no access to anyone (except the rootdn of
course).
Is there anything above that I am missing/got wrong, or you would do
differently?
b.
--
My other computer is your Microsoft Windows server.
Brian J. Murrell
Attachment:
signature.asc
Description: This is a digitally signed message part