[Date Prev][Date Next] [Chronological] [Thread] [Top]

Problem with ACL and regex



Hello everybody,

I just trying to set up an company wide ldap Adress book for these nice
Voice over IP phones with integrated LDAP Client. I want to write a Web
Gui to add and modify the entries...

Unfortunately I´m stuck in a problem with the access control lists of
OpenLDAP.

I have the following LDAP structure I want to use for my phonebook...

dc=cw
   -> ou=company-adressbook
      ->cn=Axel Schulz
      ->cn=Bill Gates
   -> ou=user
       ->cn=admin (the Admin/Manager Account)
       ->cn=mhamann (here is the userPassword defined)
        ->ou=adressbook   (this will be the personal addressbook)
          ->cn=Bill gates

As commented in my slapd.conf file I want:

- every authorized user to read the global addressbook
- admin should have right to write everywhere
- the users should be able to update their own addressbook under there own
tree.

When I log on to the ldap Server I can from both admin as a normal user
access the global Adressbook but not the personal address book. I spent
hours on searching the web an the archive of this mailing list to find a
suitable answer but with success...

here my acl.conf which is includes into my slapd.conf

-----

# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only

access to * attribute=userPassword
        by self write
        by dn="cn=admin,ou=user,dc=cw" write
        by anonymous auth

# Ensure read access to the base for things like
# supportedSASLMechanisms.  Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base="" by * read

# User s only allowed to access subfolder of himself

access to dn.regex="^cn=[^,],ou=user,dc=cw" attrs=children
        by group.regex="cn=$1,ou=user,dc=cw" read
        by group.regex="cn=$1,ou=user,dc=cw" search

# Every User should have read access to to global address book, admin has
# write access

access to dn="ou=company-addressbook,dc=cw"
        by dn="cn=admin,ou=user,dc=cw" write
        by users read
        by users search

# Admin should have Access rights to write everywhere

access to *
        by dn="cn=admin,ou=users,dc=cw" write

----------------------------

I would be very happy if anybody could show me the mistake I do no see...

Thanks a lot in advance

Yours
Michael Hamann