[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Problem with ACL and regex
Hey Pierangelo,
thank you for your fast reply... I just modified my configuration but I
still have the same result both admin and normal users only have access to
the global directory (ou=company-adressbook,dc=cw).
Any other ideas ?
Thanks a lot Michael
> this should be
>
> access to * attrs=userPassword
> by self write
> by dn.exact="cn=admin,ou=user,dc=cw" write
> by anonymous auth
>
> Note that if "cn=admin,ou=user,dc=cw" is your rootdn
> you don't need the second "by" clause, it's implicit.
Hmm I don´t really understand. I thought this would only my rootdn when
binding with this specific dn...
>> # User s only allowed to access subfolder of himself
>>
>> access to dn.regex="^cn=[^,],ou=user,dc=cw" attrs=children
>> by group.regex="cn=$1,ou=user,dc=cw" read
>> by group.regex="cn=$1,ou=user,dc=cw" search
>
> This should be
>
> access to dn.regex="^cn=([^,]+),ou=user,dc=cw$$" attrs=children
> by group.regex="cn=$1,ou=user,dc=cw" read
> by group.regex="cn=$1,ou=user,dc=cw" search
>
>> # Admin should have Access rights to write everywhere
>> access to *
>> by dn="cn=admin,ou=users,dc=cw" write
>
> Again, note that if "cn=admin,ou=user,dc=cw" is your
> rootdn you don't need to mention it in "by" clauses.
>
> Something might be missing to obtain what you want;
> I note that the ACL about groups is a bit curious:
> you're allowing everybody to read access their own
> entry as if it were a group; the two "by" clauses
> have exactly the same pattern but different access
> privileges. I think you should review the way
> groups are intended to work.