[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem with ACL and regex



What happens if you remove the break from the first access statement?

> > #Order matters put the entries I suggested first

> > access to dn.regex="cn=(.+),ou=user,dc=cw"
> >     by self read
> >     by dn="cn=admin,ou=user,dc=cw" write
        by * auth
Remove break at the end of the line above.

The way acls work (or at least the behaviour I have noticed) is that when
you match one acl then it stops checking,
so if you use break at the end it will keep on going to the next acl.
In my setup I first restrict everything I want to restrict and later on I
allow access to the rest.

The other thing you can try is to leave it as is but then on the last line
change of the config to:  access to * by users search
instead of access to * by users read

> > access to dn.regex="ou=addressbok,cn=(.+),ou=user,dc=cw"
> >     by self write
> >     by dn="cn=admin,ou=user,dc=cw" write
> >     by * auth
> > # Remove the * that you had in this line
> > access to attribute=userPassword
> >     by self write
> >         by dn="cn=admin,ou=user,dc=cw" write
> >         by anonymous auth
> > access to dn="ou=company-addressbook,dc=cw"
> >         by dn="cn=admin,ou=user,dc=cw" write
> >         by users read
> >         by users search
> > access to *
> >         by dn="cn=admin,ou=users,dc=cw" write
> >         by users read



Diego


On Wed, 10 Mar 2004, Michael Hamann wrote:

> Hey Diego,
>
> thank you for your answer. Now a normal User can see the global
> addressbook but also all books of the other users. Except of the
> userPassword Field I can access all attributes under the ou=user,dc=cw
> tree...
>
> I found out that when I comment out the last line of your config (the
> access to * by users read) then the user has only access to the global
> area. So it seems to me that the earlier rules are not fully recognized -
> which I do not really understand why...
>
> Michael
>
> >> >> As commented in my slapd.conf file I want:
> >> >>
> >> >> - every authorized user to read the global addressbook
> >> >> - admin should have right to write everywhere
> >> >> - the users should be able to update their own addressbook under
> >> >>   there own tree.
> >> >>
> >
> > #Order matters put the entries I suggested first
> > access to dn.regex="cn=(.+),ou=user,dc=cw"
> >  	by self read
> >  	by dn="cn=admin,ou=user,dc=cw" write
> >  	by * auth break
> > access to dn.regex="ou=addressbok,cn=(.+),ou=user,dc=cw"
> >  	by self write
> >  	by dn="cn=admin,ou=user,dc=cw" write
> >  	by * auth
> > # Remove the * that you had in this line
> > access to attribute=userPassword
> > 	by self write
> >         by dn="cn=admin,ou=user,dc=cw" write
> >         by anonymous auth
> > access to dn="ou=company-addressbook,dc=cw"
> >         by dn="cn=admin,ou=user,dc=cw" write
> >         by users read
> >         by users search
> > access to *
> >         by dn="cn=admin,ou=users,dc=cw" write
> >         by users read
>
>
>