[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL for only creating entry
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
In the example I sent you - my own configuraion with all the qwido's in it -
it SEEMS to work. I can add an entry with GQ and then GQ doesn't let me read
the entry. That's what you want, isn't it ?
Also, these ACL's are only part of the total ACL's. I'd like you to give me an
example ldif file and the full ACL file, but as simple as possible.
In my understanding the following can be explained:
> # Make the user entry writable for WebRegister
> # make the user entry readable for users
> access to dn.regex="uid=(.+),ou=users,dc=theoretic,dc=com" attrs=entry
> by dn.regex="uid=$1,ou=users,dc=theoretic,dc=com" read
> by dn.base="uid=webregister,ou=services,dc=theoretic,dc=com" write
> by * none
webregister also needs some permissions above 'uid='... but these shouldn't
have to be WRITE permissions. Did you try with read ? Are you using GQ ? Can
you browse the tree ? Can you search the tree ?
>
> # Forbid access to the other attributes of individual user entries by
> # WebRegister
> access to dn.regex="uid=(.+),ou=users,dc=theoretic,dc=com"
> by dn.regex="uid=$1,ou=users,dc=theoretic,dc=com" read
> by * none
This rule forbids that webregister reads existing entries. However, a not
existing entry can stil be made because of the previous rule ! That's the
trick, that's how I think it works.
>
> # Grant access to WebRegister to create new users,
> # even if it can't see them (above ACL)
> access to dn.base="ou=users,dc=example,dc=com" attrs=children
> by dn.base="uid=webregister,ou=services,dc=theoretic,dc=com" write
> by * none
But to be able to create the uid entries, webregister needs to be able to make
children to 'ou=users'. That's why this rule is here...
>
> But it only works as intended if I add the following 4th rule at the end,
> giving webregister write access to the grandparent node of the individual
> users (the parent of the node where users are created).
>
> ## Default to read access.
> access to dn=".*,dc=theoretic,dc=com"
> by dn="uid=webregister,ou=services,dc=theoretic,dc=com" write
> by self write
> # by * auth
> # by * search
>
I think if webregister can make children to ou=users, it's all it needs. It
also may need read access to ou=users, to be able to reach 'that far' in the
tree. The 'fourth' rule shouldn't be needed....
I urge you to try and make an ACL similar to the one I sent you in the earlier
message. Use the exact ACL or 'translate' it to your situation as close as
possible. As I said, I wouldn't be surprised if someone who *really*
understands ACL's would tell us that's not possible at all, and the reason
why.
Still....
Ace
website: http://www.suares.nl * http://www.qwikzite.nl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)
iD8DBQE/3anCy7boE8xtIjURAmQFAJwLD8Je5BYh+BNHruTIIEwCEG/NyACggmU1
i481u+D2TyPkbaA9pjcRn0w=
=gHS2
-----END PGP SIGNATURE-----