[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem with ACL and regex



> (cn=mmaier,ou=user,dc=cw is accessible but not
> (ou=addressbook,cn=mmaier,ou=user,dc=cw). I´ve played again with the
> options for hours today but I have really problems understanding how these

Are you aware your current config allows users to change any information
in their own entry and not only their password? If this is ok, then the
following ACL should do it for you:

access to dn.children="ou=user,dc=cw"
	by self write
	by dn="cn=admin,ou=user,dc=cw" write
	by * auth (YOU MAY NEED break here is users cannot read)
access to attribute=userPassword
        by self write
        by dn="cn=admin,ou=user,dc=cw" write
        by anonymous auth
access to dn="ou=company-addressbook,dc=cw"
        by dn="cn=admin,ou=user,dc=cw" write
        by users read
        by users search
access to *
        by dn="cn=admin,ou=users,dc=cw" write
        by users read

>
> access to dn.regex="cn=(.+),ou=user,dc=cw"
>          by self write
>          by dn="cn=admin,ou=user,dc=cw" write
>          by * auth
> access to dn.regex="ou=addressbook,cn=(.+),ou=user,dc=cw"
>          by self write
>          by dn="cn=admin,ou=user,dc=cw" write
>          by * auth
> access to attribute=userPassword
>         by self write
>         by dn="cn=admin,ou=user,dc=cw" write
>         by anonymous auth
> access to dn="ou=company-addressbook,dc=cw"
>         by dn="cn=admin,ou=user,dc=cw" write
>         by users read
>         by users search
>
> access to *
>         by dn="cn=admin,ou=users,dc=cw" write
>         by users read
>
> ---
>
> The only thing which is still missing is the user access to their
> phonebooks which currently does not work.
>
> These ACL drive me crazy - if anybody has a clue on how to fix that
> problem please tell me...
>
> Thank you in advance
>
> Michael
>
> >> > #Order matters put the entries I suggested first
> >
> >> > access to dn.regex="cn=(.+),ou=user,dc=cw"
> >> >     by self read
> >> >     by dn="cn=admin,ou=user,dc=cw" write
> >         by * auth
> > Remove break at the end of the line above.
> >
> > The way acls work (or at least the behaviour I have noticed) is that when
> > you match one acl then it stops checking,
> > so if you use break at the end it will keep on going to the next acl.
> > In my setup I first restrict everything I want to restrict and later on I
> > allow access to the rest.
> >
> > The other thing you can try is to leave it as is but then on the last line
> > change of the config to:  access to * by users search
> > instead of access to * by users read
> >
> >> > access to dn.regex="ou=addressbok,cn=(.+),ou=user,dc=cw"
> >> >     by self write
> >> >     by dn="cn=admin,ou=user,dc=cw" write
> >> >     by * auth
> >> > # Remove the * that you had in this line
> >> > access to attribute=userPassword
> >> >     by self write
> >> >         by dn="cn=admin,ou=user,dc=cw" write
> >> >         by anonymous auth
> >> > access to dn="ou=company-addressbook,dc=cw"
> >> >         by dn="cn=admin,ou=user,dc=cw" write
> >> >         by users read
> >> >         by users search
> >> > access to *
> >> >         by dn="cn=admin,ou=users,dc=cw" write
> >> >         by users read
> >
> >
> >
> > Diego
> >
> >
> > On Wed, 10 Mar 2004, Michael Hamann wrote:
> >
> >> Hey Diego,
> >>
> >> thank you for your answer. Now a normal User can see the global
> >> addressbook but also all books of the other users. Except of the
> >> userPassword Field I can access all attributes under the ou=user,dc=cw
> >> tree...
> >>
> >> I found out that when I comment out the last line of your config (the
> >> access to * by users read) then the user has only access to the global
> >> area. So it seems to me that the earlier rules are not fully recognized
> >> -
> >> which I do not really understand why...
> >>
> >> Michael
> >>
> >> >> >> As commented in my slapd.conf file I want:
> >> >> >>
> >> >> >> - every authorized user to read the global addressbook
> >> >> >> - admin should have right to write everywhere
> >> >> >> - the users should be able to update their own addressbook under
> >> >> >>   there own tree.
> >> >> >>
> >> >
> >> > #Order matters put the entries I suggested first
> >> > access to dn.regex="cn=(.+),ou=user,dc=cw"
> >> >  	by self read
> >> >  	by dn="cn=admin,ou=user,dc=cw" write
> >> >  	by * auth break
> >> > access to dn.regex="ou=addressbok,cn=(.+),ou=user,dc=cw"
> >> >  	by self write
> >> >  	by dn="cn=admin,ou=user,dc=cw" write
> >> >  	by * auth
> >> > # Remove the * that you had in this line
> >> > access to attribute=userPassword
> >> > 	by self write
> >> >         by dn="cn=admin,ou=user,dc=cw" write
> >> >         by anonymous auth
> >> > access to dn="ou=company-addressbook,dc=cw"
> >> >         by dn="cn=admin,ou=user,dc=cw" write
> >> >         by users read
> >> >         by users search
> >> > access to *
> >> >         by dn="cn=admin,ou=users,dc=cw" write
> >> >         by users read
> >>
> >>
> >>
> >
> >
>