[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ACL questions. Answered (long)



Hi Howard,

Adding "by * read" instead of "by * auth break" works correctly, thanks
for all your help.

Here is the final ACL that works for the purpose of clarifying to the
list:

access to attrs=userPassword,sambaLMPassword,sambaNTPassword
        by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
        by * auth

# Allow users to change their login shell by themselves
access to attrs=loginShell
        by self write

# Allow uid=Sambaroot to write any samba entries and objecClass to
children
# of ou=People.
access to dn.children="ou=People,dc=math,dc=gatech,dc=edu"
attrs=objectClass,sambaSamAccount
        by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
        by * read

# Allow uid=Sambaroot to write the mentioned attributes in ou=Groups
access to dn.children="ou=Groups,dc=math,dc=gatech,dc=edu"
attrs=description,sambaSID,sambaGroupType,displayName,objectClass
        by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
        by * read

# Allow uid=Sambaroot to write the objectClass and samba attributes to
# children of ou=Host
access to dn.children="ou=Hosts,dc=math,dc=gatech,dc=edu"
attrs=objectClass,sambaSamAccount
        by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
        by * read

# Allow uid=Sambaroot to write to all children of ou=Idmap
access to dn.children="ou=Idmap,dc=math,dc=gatech,dc=edu"
        by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
        by * read

# Now we restrict uid=Sambaroot so that this user cannot erase things
access to dn.regex="ou=(.+),dc=math,dc=gatech,dc=edu"
        by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" read
        by * read

# We also allow uid=Sambaroot to add the sambaDomainName entry under the
# database root (same level as rootdn).
access to dn.subtree="dc=math,dc=gatech,dc=edu"
        by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
        by * read

# Then we grant access to read everything else.
access to *
        by * read



On Thu, 11 Mar 2004, Howard Chu wrote:

> > -----Original Message-----
> > From: Diego Julian Remolina [mailto:dijuremo@math.gatech.edu]
>
> > Actually what you suggested is not really working, see my 2 cases.  I
> > still need anonymous access to read entries for things like
> > phone numbers,
> > addresses, etc.
> >
> > Case 1. Using by * auth break on ou=People which you say
> > makes no sense
> > actually works.
> >
> > access to attrs=userPassword,sambaLMPassword,sambaNTPassword
> >         by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
> >         by * auth
> >
> > access to dn.children="ou=People,dc=math,dc=gatech,dc=edu"
> > attrs=sambaSamAccount
> >         by dn.exact="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu"
> > write
> >         by * auth break
> >
> > access to *
> >         by * read
>
> This is a completely different situation from the ACL you posted before. If
> you want "by * read" then you should state that explicitly. Liberal use of
> "break" statements makes the flow of control difficult to understand, and you
> will regret it months from now when you need to make an update to your rules.
>
>  access to attrs=userPassword
> 	by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
> 	by * auth
>
>  access to dn.children="ou=People,dc=math,dc=gatech,dc=edu"
> attrs=sambaSamAccount
> 	by dn.exact="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
> 	by * read
>
>  access to *
> 	by * read
>
>   -- Howard Chu
>   Chief Architect, Symas Corp.       Director, Highland Sun
>   http://www.symas.com               http://highlandsun.com/hyc
>   Symas: Premier OpenSource Development and Support
>