[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Problem with ACL and regex
Hey Diego,
thank you for your answer. Now a normal User can see the global
addressbook but also all books of the other users. Except of the
userPassword Field I can access all attributes under the ou=user,dc=cw
tree...
I found out that when I comment out the last line of your config (the
access to * by users read) then the user has only access to the global
area. So it seems to me that the earlier rules are not fully recognized -
which I do not really understand why...
Michael
>> >> As commented in my slapd.conf file I want:
>> >>
>> >> - every authorized user to read the global addressbook
>> >> - admin should have right to write everywhere
>> >> - the users should be able to update their own addressbook under
>> >> there own tree.
>> >>
>
> #Order matters put the entries I suggested first
> access to dn.regex="cn=(.+),ou=user,dc=cw"
> by self read
> by dn="cn=admin,ou=user,dc=cw" write
> by * auth break
> access to dn.regex="ou=addressbok,cn=(.+),ou=user,dc=cw"
> by self write
> by dn="cn=admin,ou=user,dc=cw" write
> by * auth
> # Remove the * that you had in this line
> access to attribute=userPassword
> by self write
> by dn="cn=admin,ou=user,dc=cw" write
> by anonymous auth
> access to dn="ou=company-addressbook,dc=cw"
> by dn="cn=admin,ou=user,dc=cw" write
> by users read
> by users search
> access to *
> by dn="cn=admin,ou=users,dc=cw" write
> by users read