[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Problem with ACL and regex
Hello everybody,
I just trying to set up an company wide ldap Adress book for these nice
Voice over IP phones with integrated LDAP Client. I want to write a Web
Gui to add and modify the entries...
Unfortunately I´m stuck in a problem with the access control lists of
OpenLDAP.
I have the following LDAP structure I want to use for my phonebook...
dc=cw
-> ou=company-adressbook
->cn=Axel Schulz
->cn=Bill Gates
-> ou=user
->cn=admin (the Admin/Manager Account)
->cn=mhamann (here is the userPassword defined)
->ou=adressbook (this will be the personal addressbook)
->cn=Bill gates
As commented in my slapd.conf file I want:
- every authorized user to read the global addressbook
- admin should have right to write everywhere
- the users should be able to update their own addressbook under there own
tree.
When I log on to the ldap Server I can from both admin as a normal user
access the global Adressbook but not the personal address book. I spent
hours on searching the web an the archive of this mailing list to find a
suitable answer but with success...
here my acl.conf which is includes into my slapd.conf
-----
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to * attribute=userPassword
by self write
by dn="cn=admin,ou=user,dc=cw" write
by anonymous auth
# Ensure read access to the base for things like
# supportedSASLMechanisms. Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base="" by * read
# User s only allowed to access subfolder of himself
access to dn.regex="^cn=[^,],ou=user,dc=cw" attrs=children
by group.regex="cn=$1,ou=user,dc=cw" read
by group.regex="cn=$1,ou=user,dc=cw" search
# Every User should have read access to to global address book, admin has
# write access
access to dn="ou=company-addressbook,dc=cw"
by dn="cn=admin,ou=user,dc=cw" write
by users read
by users search
# Admin should have Access rights to write everywhere
access to *
by dn="cn=admin,ou=users,dc=cw" write
----------------------------
I would be very happy if anybody could show me the mistake I do no see...
Thanks a lot in advance
Yours
Michael Hamann