[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem with ACL and regex



Hey Pierangelo,

thank you for your fast reply... I just modified my configuration but I
still have the same result both admin and normal users only have access to
the global directory (ou=company-adressbook,dc=cw).

Any other ideas ?

Thanks a lot Michael

> this should be
>
> access to * attrs=userPassword
>         by self write
>         by dn.exact="cn=admin,ou=user,dc=cw" write
>         by anonymous auth
>
> Note that if "cn=admin,ou=user,dc=cw" is your rootdn
> you don't need the second "by" clause, it's implicit.
Hmm I don´t really understand. I thought this would only my rootdn when
binding with this specific dn...


>> # User s only allowed to access subfolder of himself
>>
>> access to dn.regex="^cn=[^,],ou=user,dc=cw" attrs=children
>>         by group.regex="cn=$1,ou=user,dc=cw" read
>>         by group.regex="cn=$1,ou=user,dc=cw" search
>
> This should be
>
> access to dn.regex="^cn=([^,]+),ou=user,dc=cw$$" attrs=children
>         by group.regex="cn=$1,ou=user,dc=cw" read
>         by group.regex="cn=$1,ou=user,dc=cw" search
>
>> # Admin should have Access rights to write everywhere
>> access to *
>>         by dn="cn=admin,ou=users,dc=cw" write
>
> Again, note that if "cn=admin,ou=user,dc=cw" is your
> rootdn you don't need to mention it in "by" clauses.
>
> Something might be missing to obtain what you want;
> I note that the ACL about groups is a bit curious:
> you're allowing everybody to read access their own
> entry as if it were a group; the two "by" clauses
> have exactly the same pattern but different access
> privileges.  I think you should review the way
> groups are intended to work.