[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL's in FAQ: 663



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This question refers to 

http://www.openldap.org/faq/index.cgi?file=653

<QUITO>
For a setup where a user can write to their own record and to all of it's 
children.
 
 access to dn.regex="^.*,(uid=.*,o=Company)$$"
        by dn.regex="^$1$$" write
        by anonymous auth
  access to *
        by self write
        by anonymous read

</QUITO>

I have some questions with this.

First, what do the double $ mean at the end of the regexes ?
I am used to the single '$' as the delimter of the line (so no characters can 
follow the $) but what does the $$ mean ? Is there also something like '^^' 
to demark the beginning of a line ?

Secondly, in the first rule, 'by anonymous auth' gives the possibility for 
anonymous to auth against entries under users entries. Is that intentional? 
In my setup 'users' have entries under their entry that shouldn't contain 
authentication information, like addressbooks and such. Therefore I don't 
grant auth access to anonymous under my users' entries.

Thirdly, in the second rule, 'by anonymous read' gives read access to 
anonymous to all entries (except those defined in the first rule).
That would mean that anonymous (i.e. connections to ldap without username and 
password) can read all user entries and all attributes of those entries.

I would be more comfortable with an answer like this:

<PROPOSED>
For a setup where a user can write to their own entry and to all of it's 
children (disallowing any other entity access to the users entry and all of 
it's children, but possibilizing anonymous authentication to the users entry)

access to dn.regex="^.+,(uid=.+,o=Company)$"
       by dn.regex="^$1$" write
 access to *
       by self write
       by anonymous auth

</PROPOSED>


Ace

website: http://www.suares.nl * http://www.qwikzite.nl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)

iD8DBQFAAhQey7boE8xtIjURAjLxAJ9qxQliM7nozmGRqUIL59mLl+NXtwCffhDy
I7Ce/ErXAIoVGthgKgslFWs=
=C+WB
-----END PGP SIGNATURE-----