[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ACL's in FAQ: 663
- To: openldap-software@OpenLDAP.org
- Subject: ACL's in FAQ: 663
- From: Ace Suares <ace@suares.nl>
- Date: Sun, 11 Jan 2004 23:27:26 -0400
- Content-description: clearsigned data
- Content-disposition: inline
- Organization: Ace Suares' Internet Consultancy
- User-agent: KMail/1.5.1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This question refers to
http://www.openldap.org/faq/index.cgi?file=653
<QUITO>
For a setup where a user can write to their own record and to all of it's
children.
access to dn.regex="^.*,(uid=.*,o=Company)$$"
by dn.regex="^$1$$" write
by anonymous auth
access to *
by self write
by anonymous read
</QUITO>
I have some questions with this.
First, what do the double $ mean at the end of the regexes ?
I am used to the single '$' as the delimter of the line (so no characters can
follow the $) but what does the $$ mean ? Is there also something like '^^'
to demark the beginning of a line ?
Secondly, in the first rule, 'by anonymous auth' gives the possibility for
anonymous to auth against entries under users entries. Is that intentional?
In my setup 'users' have entries under their entry that shouldn't contain
authentication information, like addressbooks and such. Therefore I don't
grant auth access to anonymous under my users' entries.
Thirdly, in the second rule, 'by anonymous read' gives read access to
anonymous to all entries (except those defined in the first rule).
That would mean that anonymous (i.e. connections to ldap without username and
password) can read all user entries and all attributes of those entries.
I would be more comfortable with an answer like this:
<PROPOSED>
For a setup where a user can write to their own entry and to all of it's
children (disallowing any other entity access to the users entry and all of
it's children, but possibilizing anonymous authentication to the users entry)
access to dn.regex="^.+,(uid=.+,o=Company)$"
by dn.regex="^$1$" write
access to *
by self write
by anonymous auth
</PROPOSED>
Ace
website: http://www.suares.nl * http://www.qwikzite.nl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)
iD8DBQFAAhQey7boE8xtIjURAjLxAJ9qxQliM7nozmGRqUIL59mLl+NXtwCffhDy
I7Ce/ErXAIoVGthgKgslFWs=
=C+WB
-----END PGP SIGNATURE-----