[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem with ACL and regex



>
> access to * attribute=userPassword
>         by self write
>         by dn="cn=admin,ou=user,dc=cw" write
>         by anonymous auth

this should be

access to * attrs=userPassword
        by self write
        by dn.exact="cn=admin,ou=user,dc=cw" write
        by anonymous auth

Note that if "cn=admin,ou=user,dc=cw" is your rootdn
you don't need the second "by" clause, it's implicit.

>
> # Ensure read access to the base for things like
> # supportedSASLMechanisms.  Without this you may
> # have problems with SASL not knowing what
> # mechanisms are available and the like.
> # Note that this is covered by the 'access to *'
> # ACL below too but if you change that as people
> # are wont to do you'll still need this if you
> # want SASL (and possible other things) to work
> # happily.
> access to dn.base="" by * read
>
> # User s only allowed to access subfolder of himself
>
> access to dn.regex="^cn=[^,],ou=user,dc=cw" attrs=children
>         by group.regex="cn=$1,ou=user,dc=cw" read
>         by group.regex="cn=$1,ou=user,dc=cw" search

This should be

access to dn.regex="^cn=([^,]+),ou=user,dc=cw$$" attrs=children
        by group.regex="cn=$1,ou=user,dc=cw" read
        by group.regex="cn=$1,ou=user,dc=cw" search


>
> # Every User should have read access to to global address book, admin
> has # write access
>
> access to dn="ou=company-addressbook,dc=cw"
>         by dn="cn=admin,ou=user,dc=cw" write
>         by users read
>         by users search
>
> # Admin should have Access rights to write everywhere
>
> access to *
>         by dn="cn=admin,ou=users,dc=cw" write

Again, note that if "cn=admin,ou=user,dc=cw" is your
rootdn you don't need to mention it in "by" clauses.

Something might be missing to obtain what you want;
I note that the ACL about groups is a bit curious:
you're allowing everybody to read access their own
entry as if it were a group; the two "by" clauses
have exactly the same pattern but different access
privileges.  I think you should review the way
groups are intended to work.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it