Re: Problem with ACL and regex

["Michael Hamann" <mail@mhamann.net>]

Hey Diego,

thank you for your answer. Now a normal User can see the global
addressbook but also all books of the other users. Except of the
userPassword Field I can access all attributes under the ou=user,dc=cw
tree...

I found out that when I comment out the last line of your config (the
access to * by users read) then the user has only access to the global
area. So it seems to me that the earlier rules are not fully recognized -
which I do not really understand why...

Michael

>> >> As commented in my slapd.conf file I want:
>> >>
>> >> - every authorized user to read the global addressbook
>> >> - admin should have right to write everywhere
>> >> - the users should be able to update their own addressbook under
>> >>   there own tree.
>> >>
>
> #Order matters put the entries I suggested first
> access to dn.regex="cn=(.+),ou=user,dc=cw"
>  	by self read
>  	by dn="cn=admin,ou=user,dc=cw" write
>  	by * auth break
> access to dn.regex="ou=addressbok,cn=(.+),ou=user,dc=cw"
>  	by self write
>  	by dn="cn=admin,ou=user,dc=cw" write
>  	by * auth
> # Remove the * that you had in this line
> access to attribute=userPassword
> 	by self write
>         by dn="cn=admin,ou=user,dc=cw" write
>         by anonymous auth
> access to dn="ou=company-addressbook,dc=cw"
>         by dn="cn=admin,ou=user,dc=cw" write
>         by users read
>         by users search
> access to *
>         by dn="cn=admin,ou=users,dc=cw" write
>         by users read