[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Problem with ACL and regex
> Hi,
>
> removing the break leads to the right direction. Now a normal user can
> access
^^^ what access level? read? write?
> the global book and his own user level (only his own) but - as
> last error he can´t access his private addressbook under his user level
> (cn=mmaier,ou=user,dc=cw is accessible but not
> (ou=addressbook,cn=mmaier,ou=user,dc=cw). I´ve played again with the
> options for hours today but I have really problems understanding how
> these ACLs should work...
>
> So my actual config is:
>
> -------------
>
> access to dn.regex="cn=(.+),ou=user,dc=cw"
> by self write
> by dn="cn=admin,ou=user,dc=cw" write
> by * auth
> access to dn.regex="ou=addressbook,cn=(.+),ou=user,dc=cw"
> by self write
> by dn="cn=admin,ou=user,dc=cw" write
> by * auth
> access to attribute=userPassword
> by self write
> by dn="cn=admin,ou=user,dc=cw" write
> by anonymous auth
> access to dn="ou=company-addressbook,dc=cw"
> by dn="cn=admin,ou=user,dc=cw" write
> by users read
> by users search
>
> access to *
> by dn="cn=admin,ou=users,dc=cw" write
> by users read
let me rearrange your rules:
access to attrs=userPassword
by self write
by dn="cn=admin,ou=user,dc=cw" write
by anonymous auth
# this is a bit dangerous: a user is allowed
# to __WRITE__ everything of its own entry
access to dn.regex="cn=.+,ou=user,dc=cw"
by self write
by dn="cn=admin,ou=user,dc=cw" write
by * none
# same as above; BTW: this is the parent
# of the actual address book entries, right?
access to dn.regex="ou=addressbook,cn=([^,]+),ou=user,dc=cw"
by dn.exact,expand="cn=$1,ou=user,dc=cw" write
by dn="cn=admin,ou=user,dc=cw" write
by * none
# warning, this is implied by the rule below
access to dn="ou=company-addressbook,dc=cw"
by dn="cn=admin,ou=user,dc=cw" write
by users read
by * none
access to *
by dn="cn=admin,ou=users,dc=cw" write
by users read
by * none
If you want to allow users to read/write their own address book, which, I
assume, means append entries below
"ou=addressbook,cn=([^,]+),ou=user,dc=cw" you need to do:
# allow everybody to try to bind
access to attrs=userPassword
by self write
by dn.exact="cn=admin,ou=user,dc=cw" write
by anonymous auth
# give read access to one's entry to himself only
access to dn.regex="^cn=([^,]+)ou=user,dc=cw$$"
by self read
by dn.exact="cn=admin,ou=user,dc=cw" write
by * none
# allow one to create chidren of its own addressbook
access to dn.regex="^ou=addressbook,cn=([^,]+),ou=user,dc=cw$$"
attrs=children
by dn.exact,expand="cn=$1,ou=user,dc=cw" write
by dn.exact="cn=admin,ou=user,dc=cw" write
by * none
# allow one to create entries in its own addressbook
access to dn.regex="[^,]+,ou=addressbook,cn=([^,]+),ou=user,dc=cw$$"
attrs=entry,<list what attributes one needs to write>
by dn.exact,expand="cn=$1,ou=user,dc=cw" write
by dn.exact="cn=admin,ou=user,dc=cw" write
by * none
# allow everybody to read everything else, including
# the company-wide addressbook
access to *
by dn.exact="cn=admin,ou=users,dc=cw" write
by users read
by * none
Please replace the <list what attributes one needs to write> with
whatever you want to allow one to write; or, if you basically want
to allow to write all the attributes allowed by a specific
objectClass, say "inetOrgPerson", you can use "@inetOrgPerson";
don't forget to list the pseudo-attribute "entry".
p.
>
> ---
>
> The only thing which is still missing is the user access to their
> phonebooks which currently does not work.
>
> These ACL drive me crazy - if anybody has a clue on how to fix that
> problem please tell me...
>
> Thank you in advance
>
> Michael
>
>>> > #Order matters put the entries I suggested first
>>
>>> > access to dn.regex="cn=(.+),ou=user,dc=cw"
>>> > by self read
>>> > by dn="cn=admin,ou=user,dc=cw" write
>> by * auth
>> Remove break at the end of the line above.
>>
>> The way acls work (or at least the behaviour I have noticed) is that
>> when you match one acl then it stops checking,
>> so if you use break at the end it will keep on going to the next acl.
>> In my setup I first restrict everything I want to restrict and later
>> on I allow access to the rest.
>>
>> The other thing you can try is to leave it as is but then on the last
>> line change of the config to: access to * by users search
>> instead of access to * by users read
>>
>>> > access to dn.regex="ou=addressbok,cn=(.+),ou=user,dc=cw"
>>> > by self write
>>> > by dn="cn=admin,ou=user,dc=cw" write
>>> > by * auth
>>> > # Remove the * that you had in this line
>>> > access to attribute=userPassword
>>> > by self write
>>> > by dn="cn=admin,ou=user,dc=cw" write
>>> > by anonymous auth
>>> > access to dn="ou=company-addressbook,dc=cw"
>>> > by dn="cn=admin,ou=user,dc=cw" write
>>> > by users read
>>> > by users search
>>> > access to *
>>> > by dn="cn=admin,ou=users,dc=cw" write
>>> > by users read
>>
>>
>>
>> Diego
>>
>>
>> On Wed, 10 Mar 2004, Michael Hamann wrote:
>>
>>> Hey Diego,
>>>
>>> thank you for your answer. Now a normal User can see the global
>>> addressbook but also all books of the other users. Except of the
>>> userPassword Field I can access all attributes under the
>>> ou=user,dc=cw tree...
>>>
>>> I found out that when I comment out the last line of your config (the
>>> access to * by users read) then the user has only access to the
>>> global area. So it seems to me that the earlier rules are not fully
>>> recognized -
>>> which I do not really understand why...
>>>
>>> Michael
>>>
>>> >> >> As commented in my slapd.conf file I want:
>>> >> >>
>>> >> >> - every authorized user to read the global addressbook
>>> >> >> - admin should have right to write everywhere
>>> >> >> - the users should be able to update their own addressbook
>>> under
>>> >> >> there own tree.
>>> >> >>
>>> >
>>> > #Order matters put the entries I suggested first
>>> > access to dn.regex="cn=(.+),ou=user,dc=cw"
>>> > by self read
>>> > by dn="cn=admin,ou=user,dc=cw" write
>>> > by * auth break
>>> > access to dn.regex="ou=addressbok,cn=(.+),ou=user,dc=cw"
>>> > by self write
>>> > by dn="cn=admin,ou=user,dc=cw" write
>>> > by * auth
>>> > # Remove the * that you had in this line
>>> > access to attribute=userPassword
>>> > by self write
>>> > by dn="cn=admin,ou=user,dc=cw" write
>>> > by anonymous auth
>>> > access to dn="ou=company-addressbook,dc=cw"
>>> > by dn="cn=admin,ou=user,dc=cw" write
>>> > by users read
>>> > by users search
>>> > access to *
>>> > by dn="cn=admin,ou=users,dc=cw" write
>>> > by users read
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it