[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL for only creating entry
> I had to change the below ACL suggestion slightly, replacing your
> "exact" with "base" (otherwise openldap wouldn't accept it), but no
> success. The account webregister is not able to see any of the children
> entries in the diorectory, as intended, but it is not able to create
> them at all. I get permission denied's.
>
> # Forbid all access to individual users by WebRegister
> access to dn.regex="uid=(.+),ou=users,dc=theoretic,dc=com"
> by dn.regex="uid=$1,ou=users,dc=theoretic,dc=com" read
> by * none
>
> # Grant access to WebRegister to create new users,
> # even if it can't see them (above ACL)
> access to dn.base="ou=users,dc=example,dc=com" attrs=children
> by dn.base="uid=webregister,ou=services,dc=theoretic,dc=com" write by *
> none
The second ACL never gets caught bcause the first one intercepts
it (ACL evaluation goes from specific to generic and in order).
Try to elaborate on
# allow webregister to add a child to ou=users
access to dn.base="ou=users,dc=example,dc=com" attrs=children
by dn.exact="uid=webregister,ou=services,dc=theoretic,dc=com" write
by * none
# allow access to any user and its subtree by the user itself
# with read privileges and by webregister with write privileges
access to dn.regex="^(.*,)?uid=([^,]+),ou=users,dc=theoretic,dc=com$$"
by dn.exact,expand="uid=$1,ou=users,dc=theoretic,dc=com" read
by dn.exact="uid=webregister,ou=services,dc=theoretic,dc=com" write
by * none
# or, allow access to any user by self with read privileges
# and by webregister with write privileges, if this is what you mean
access to dn.regex="^uid=([^,]+),ou=users,dc=theoretic,dc=com$$"
by self read
by dn.exact="uid=webregister,ou=services,dc=theoretic,dc=com" write
by * none
p.
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it