[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Problem with ACL and regex
Hi,
removing the break leads to the right direction. Now a normal user can
access the global book and his own user level (only his own) but - as last
error he can´t access his private addressbook under his user level
(cn=mmaier,ou=user,dc=cw is accessible but not
(ou=addressbook,cn=mmaier,ou=user,dc=cw). I´ve played again with the
options for hours today but I have really problems understanding how these
ACLs should work...
So my actual config is:
-------------
access to dn.regex="cn=(.+),ou=user,dc=cw"
by self write
by dn="cn=admin,ou=user,dc=cw" write
by * auth
access to dn.regex="ou=addressbook,cn=(.+),ou=user,dc=cw"
by self write
by dn="cn=admin,ou=user,dc=cw" write
by * auth
access to attribute=userPassword
by self write
by dn="cn=admin,ou=user,dc=cw" write
by anonymous auth
access to dn="ou=company-addressbook,dc=cw"
by dn="cn=admin,ou=user,dc=cw" write
by users read
by users search
access to *
by dn="cn=admin,ou=users,dc=cw" write
by users read
---
The only thing which is still missing is the user access to their
phonebooks which currently does not work.
These ACL drive me crazy - if anybody has a clue on how to fix that
problem please tell me...
Thank you in advance
Michael
>> > #Order matters put the entries I suggested first
>
>> > access to dn.regex="cn=(.+),ou=user,dc=cw"
>> > by self read
>> > by dn="cn=admin,ou=user,dc=cw" write
> by * auth
> Remove break at the end of the line above.
>
> The way acls work (or at least the behaviour I have noticed) is that when
> you match one acl then it stops checking,
> so if you use break at the end it will keep on going to the next acl.
> In my setup I first restrict everything I want to restrict and later on I
> allow access to the rest.
>
> The other thing you can try is to leave it as is but then on the last line
> change of the config to: access to * by users search
> instead of access to * by users read
>
>> > access to dn.regex="ou=addressbok,cn=(.+),ou=user,dc=cw"
>> > by self write
>> > by dn="cn=admin,ou=user,dc=cw" write
>> > by * auth
>> > # Remove the * that you had in this line
>> > access to attribute=userPassword
>> > by self write
>> > by dn="cn=admin,ou=user,dc=cw" write
>> > by anonymous auth
>> > access to dn="ou=company-addressbook,dc=cw"
>> > by dn="cn=admin,ou=user,dc=cw" write
>> > by users read
>> > by users search
>> > access to *
>> > by dn="cn=admin,ou=users,dc=cw" write
>> > by users read
>
>
>
> Diego
>
>
> On Wed, 10 Mar 2004, Michael Hamann wrote:
>
>> Hey Diego,
>>
>> thank you for your answer. Now a normal User can see the global
>> addressbook but also all books of the other users. Except of the
>> userPassword Field I can access all attributes under the ou=user,dc=cw
>> tree...
>>
>> I found out that when I comment out the last line of your config (the
>> access to * by users read) then the user has only access to the global
>> area. So it seems to me that the earlier rules are not fully recognized
>> -
>> which I do not really understand why...
>>
>> Michael
>>
>> >> >> As commented in my slapd.conf file I want:
>> >> >>
>> >> >> - every authorized user to read the global addressbook
>> >> >> - admin should have right to write everywhere
>> >> >> - the users should be able to update their own addressbook under
>> >> >> there own tree.
>> >> >>
>> >
>> > #Order matters put the entries I suggested first
>> > access to dn.regex="cn=(.+),ou=user,dc=cw"
>> > by self read
>> > by dn="cn=admin,ou=user,dc=cw" write
>> > by * auth break
>> > access to dn.regex="ou=addressbok,cn=(.+),ou=user,dc=cw"
>> > by self write
>> > by dn="cn=admin,ou=user,dc=cw" write
>> > by * auth
>> > # Remove the * that you had in this line
>> > access to attribute=userPassword
>> > by self write
>> > by dn="cn=admin,ou=user,dc=cw" write
>> > by anonymous auth
>> > access to dn="ou=company-addressbook,dc=cw"
>> > by dn="cn=admin,ou=user,dc=cw" write
>> > by users read
>> > by users search
>> > access to *
>> > by dn="cn=admin,ou=users,dc=cw" write
>> > by users read
>>
>>
>>
>
>