[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ACL for only creating entry
To Ace Suares:
I tried your last suggestion of:
# Make the user entry writable for WebRegister
# make the user entry readable for users
access to dn.regex="uid=(.+),ou=users,dc=theoretic,dc=com" attrs=entry
by dn.regex="uid=$1,ou=users,dc=theoretic,dc=com" read
by dn.base="uid=webregister,ou=services,dc=theoretic,dc=com" write
by * none
# Forbid access to the other attributes of individual user entries by
# WebRegister
access to dn.regex="uid=(.+),ou=users,dc=theoretic,dc=com"
by dn.regex="uid=$1,ou=users,dc=theoretic,dc=com" read
by * none
# Grant access to WebRegister to create new users,
# even if it can't see them (above ACL)
access to dn.base="ou=users,dc=example,dc=com" attrs=children
by dn.base="uid=webregister,ou=services,dc=theoretic,dc=com" write
by * none
But it only works as intended if I add the following 4th rule at the end,
giving webregister write access to the grandparent node of the individual
users (the parent of the node where users are created).
## Default to read access.
access to dn=".*,dc=theoretic,dc=com"
by dn="uid=webregister,ou=services,dc=theoretic,dc=com" write
by self write
# by * auth
# by * search
I unfortunately can't afford to give webregister this access because then
some crafty cracker could access info outside of the users (such as in my
ou=services for non-human login accounts or ou=hosts for domains that my
box controls). And I only get the intended results by giving webregister
write acess, so it seems there is something it needs to write to not
covered by the previous ACLs I can't seem to figure out why, though, after
messing with it for a few hours.