[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL for only creating entry
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi All,
> I had to change the below ACL suggestion slightly, replacing your "exact"
> with "base" (otherwise openldap wouldn't accept it), but no success. The
> account webregister is not able to see any of the children entries in the
> diorectory, as intended, but it is not able to create them at all. I get
> permission denied's.
>
Sigh. Logic dictates me that the behaviour you are finding now, is the correct
behaviour. But I swear I saw something like this work!
Briddling for a while, gave the desired results:
# Allow read access of root DSE to ALL
access to dn=""
by * read
#Allow read access of 'cn=Subschema' to ALL
access to dn="cn=Subschema"
by * read
access to dn.regex="^qwidoManager=.+,qwidoRole=qwidoManager,qwidoApp=qwido$"
attrs=entry
by dn.exact="qwidoApp=qwido" write
by * none
access to dn.regex=".*,qwidoRole=qwidoManager,qwidoApp=qwido$"
by * none
access to dn.base="qwidoRole=qwidoManager,qwidoApp=qwido" attrs=children
by dn.exact="qwidoApp=qwido" write
by * none
access to dn.base="qwidoRole=qwidoManager,qwidoApp=qwido"
by dn.exact="qwidoApp=qwido" write
by * none
access to dn.regex=".*,qwidoApp=qwido$"
by * none
access to dn.base="qwidoApp=qwido" attrs=userpassword
by self read
by anonymous auth
by * none
access to dn.base="qwidoApp=qwido" attrs=children
by dn.exact="qwidoApp=qwido" write
by * none
access to dn.base="qwidoApp=qwido"
by self read
by * none
access to *
by * none
I am sorry if it's hard to read, but I don't have time to rewrite it to
'example.com'.
The trick is 'attrs=entry'
Translated to your case (maybe you need some briddling though):
# Make the user entry writable for WebRegister
# make the user entry readable for users
access to dn.regex="uid=(.+),ou=users,dc=theoretic,dc=com" attrs=entry
by dn.regex="uid=$1,ou=users,dc=theoretic,dc=com" read
by dn.base="uid=webregister,ou=services,dc=theoretic,dc=com" write
by * none
# Forbid access to the other attributes of individual user entries by
# WebRegister
access to dn.regex="uid=(.+),ou=users,dc=theoretic,dc=com"
by dn.regex="uid=$1,ou=users,dc=theoretic,dc=com" read
by * none
# Grant access to WebRegister to create new users,
# even if it can't see them (above ACL)
access to dn.base="ou=users,dc=example,dc=com" attrs=children
by dn.base="uid=webregister,ou=services,dc=theoretic,dc=com" write
by * none
Hope that helps, please let me know!
A_ce
- --
Ace Suares' Internet Consultancy
NIEUW ADRES: Postbus 2599, 4800 CN Breda
telefoon: 06-244 33 608
fax en voicemail: 0848-707 705
website: http://www.suares.nl * http://www.qwikzite.nl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)
iD8DBQE/3Dyjy7boE8xtIjURAkcwAKCtbJu35fPsZNL/Z/itDi4aWQlCagCeNe38
T6Qmf7Yyh8zP7YgyRmhlz00=
=fccr
-----END PGP SIGNATURE-----