[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem with ACL and regex

To: <mail@mhamann.net>
Subject: Re: Problem with ACL and regex
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Tue, 9 Mar 2004 15:41:13 +0100 (CET)
Cc: <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <32969.193.22.120.35.1078840826.squirrel@193.22.120.35>
References: <32969.193.22.120.35.1078840826.squirrel@193.22.120.35>

>
> access to * attribute=userPassword
>         by self write
>         by dn="cn=admin,ou=user,dc=cw" write
>         by anonymous auth

this should be

access to * attrs=userPassword
        by self write
        by dn.exact="cn=admin,ou=user,dc=cw" write
        by anonymous auth

Note that if "cn=admin,ou=user,dc=cw" is your rootdn
you don't need the second "by" clause, it's implicit.

>
> # Ensure read access to the base for things like
> # supportedSASLMechanisms.  Without this you may
> # have problems with SASL not knowing what
> # mechanisms are available and the like.
> # Note that this is covered by the 'access to *'
> # ACL below too but if you change that as people
> # are wont to do you'll still need this if you
> # want SASL (and possible other things) to work
> # happily.
> access to dn.base="" by * read
>
> # User s only allowed to access subfolder of himself
>
> access to dn.regex="^cn=[^,],ou=user,dc=cw" attrs=children
>         by group.regex="cn=$1,ou=user,dc=cw" read
>         by group.regex="cn=$1,ou=user,dc=cw" search

This should be

access to dn.regex="^cn=([^,]+),ou=user,dc=cw$$" attrs=children
        by group.regex="cn=$1,ou=user,dc=cw" read
        by group.regex="cn=$1,ou=user,dc=cw" search


>
> # Every User should have read access to to global address book, admin
> has # write access
>
> access to dn="ou=company-addressbook,dc=cw"
>         by dn="cn=admin,ou=user,dc=cw" write
>         by users read
>         by users search
>
> # Admin should have Access rights to write everywhere
>
> access to *
>         by dn="cn=admin,ou=users,dc=cw" write

Again, note that if "cn=admin,ou=user,dc=cw" is your
rootdn you don't need to mention it in "by" clauses.

Something might be missing to obtain what you want;
I note that the ACL about groups is a bit curious:
you're allowing everybody to read access their own
entry as if it were a group; the two "by" clauses
have exactly the same pattern but different access
privileges.  I think you should review the way
groups are intended to work.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it

Follow-Ups:
- Re: Problem with ACL and regex
  - From: "Michael Hamann" <mail@mhamann.net>

References:
- Problem with ACL and regex
  - From: "Michael Hamann" <mail@mhamann.net>

Prev by Date: Re: openldap-2.1.27 - slapd not dying
Next by Date: Re: Problem with ACL and regex
Index(es):
- Chronological
- Thread