[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL for only creating entry (SOLVED)
adamtheo@theoretic.com wrote:
To Ace Suares, Pierangelo Masarati, and others of the list:
Pierangelo's suggestion for the ACL's to get the desired result of
allowing a UID to add new entries to a branch of the LDAP directory, but
also being denied access to read or write to them immediately after
creation (for the purpose of setting up an account registration form for
the general public to use to create accounts for themselves) has worked.
I had to figure out where to place his snippet, but after a short trial
and error period, this is my final and complete ACL entry for my
Directory:
<quote from='/etc/openldap/slapd.conf'>
access to attr=userPassword
by self write
by anonymous auth
access to dn.base="ou=users,dc=theoretic,dc=com"
by dn="uid=webregister,ou=services,dc=theoretic,dc=com" write
by anonymous auth
by users read
by self write
by * none
access to dn.children="ou=users,dc=theoretic,dc=com"
by dn.exact="uid=webregister,ou=services,dc=theoretic,dc=com" =xcsw
sorry to contradict you, but to allow
"uid=webregister,ou=services,dc=theoretic,dc=com" to only add, delete
and possibly modrdn entries below "ou=users,dc=theoretic,dc=com", but
NOT modify their contents, and, at the same time, allow users below
"ou=users,dc=theoretic,dc=com" to read themselves and modify some
of their attributes you should do:
access to attr=userPassword
by self write
by anonymous auth
access to dn.base="ou=users,dc=theoretic,dc=com" attrs=children
by dn="uid=webregister,ou=services,dc=theoretic,dc=com" write
by users read
by * none
access to dn.one="ou=users,dc=theoretic,dc=com" attrs=entry
by dn.exact="uid=webregister,ou=services,dc=theoretic,dc=com" \
write
by users read
by * none
access to dn.one="ou=users,dc=theoretic,dc=com" \
attrs=<set of modifiable attrs>
by self write
by * none
access to dn.one="ou=users,dc=theoretic,dc=com" \
attrs=<set of non-modifiable attrs^(1)>
by self read
by * none
# (1) if you omit this, then all the attributes not in <set of
# modifiable attrs> will be readable by self.
note that I replaced "dn.children" with "dn.one" because the former
would allow users to create entries below themselves (but not
to read or modify them, though). If this is what you need, then
your ACLs would change a bit.
Please try this and see if it gives you the expected results.
p.
</quote>
These ACL's allow 'uid=webregister' to create a new 'uid' entry under
'ou=users', but forbids it from seeing those entries (both those it
creates and already existing ones), even forbidding write access.
Thank you everyone!
--
Dr. Pierangelo Masarati mailto:pierangelo.masarati@sys-net.it
LDAP Architect, SysNet s.n.c. http://www.sys-net.it
+----------------------------------------------------------------------------+
| |
| Buon Natale e felice Anno Nuovo |
| |
| SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497 |
+----------------------------------------------------------------------------+