[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Problem with ACL and regex
>
> access to * attribute=userPassword
> by self write
> by dn="cn=admin,ou=user,dc=cw" write
> by anonymous auth
this should be
access to * attrs=userPassword
by self write
by dn.exact="cn=admin,ou=user,dc=cw" write
by anonymous auth
Note that if "cn=admin,ou=user,dc=cw" is your rootdn
you don't need the second "by" clause, it's implicit.
>
> # Ensure read access to the base for things like
> # supportedSASLMechanisms. Without this you may
> # have problems with SASL not knowing what
> # mechanisms are available and the like.
> # Note that this is covered by the 'access to *'
> # ACL below too but if you change that as people
> # are wont to do you'll still need this if you
> # want SASL (and possible other things) to work
> # happily.
> access to dn.base="" by * read
>
> # User s only allowed to access subfolder of himself
>
> access to dn.regex="^cn=[^,],ou=user,dc=cw" attrs=children
> by group.regex="cn=$1,ou=user,dc=cw" read
> by group.regex="cn=$1,ou=user,dc=cw" search
This should be
access to dn.regex="^cn=([^,]+),ou=user,dc=cw$$" attrs=children
by group.regex="cn=$1,ou=user,dc=cw" read
by group.regex="cn=$1,ou=user,dc=cw" search
>
> # Every User should have read access to to global address book, admin
> has # write access
>
> access to dn="ou=company-addressbook,dc=cw"
> by dn="cn=admin,ou=user,dc=cw" write
> by users read
> by users search
>
> # Admin should have Access rights to write everywhere
>
> access to *
> by dn="cn=admin,ou=users,dc=cw" write
Again, note that if "cn=admin,ou=user,dc=cw" is your
rootdn you don't need to mention it in "by" clauses.
Something might be missing to obtain what you want;
I note that the ACL about groups is a bit curious:
you're allowing everybody to read access their own
entry as if it were a group; the two "by" clauses
have exactly the same pattern but different access
privileges. I think you should review the way
groups are intended to work.
p.
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it