[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: ACL questions. Answered (long)
Hi Howard,
Adding "by * read" instead of "by * auth break" works correctly, thanks
for all your help.
Here is the final ACL that works for the purpose of clarifying to the
list:
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
by * auth
# Allow users to change their login shell by themselves
access to attrs=loginShell
by self write
# Allow uid=Sambaroot to write any samba entries and objecClass to
children
# of ou=People.
access to dn.children="ou=People,dc=math,dc=gatech,dc=edu"
attrs=objectClass,sambaSamAccount
by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
by * read
# Allow uid=Sambaroot to write the mentioned attributes in ou=Groups
access to dn.children="ou=Groups,dc=math,dc=gatech,dc=edu"
attrs=description,sambaSID,sambaGroupType,displayName,objectClass
by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
by * read
# Allow uid=Sambaroot to write the objectClass and samba attributes to
# children of ou=Host
access to dn.children="ou=Hosts,dc=math,dc=gatech,dc=edu"
attrs=objectClass,sambaSamAccount
by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
by * read
# Allow uid=Sambaroot to write to all children of ou=Idmap
access to dn.children="ou=Idmap,dc=math,dc=gatech,dc=edu"
by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
by * read
# Now we restrict uid=Sambaroot so that this user cannot erase things
access to dn.regex="ou=(.+),dc=math,dc=gatech,dc=edu"
by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" read
by * read
# We also allow uid=Sambaroot to add the sambaDomainName entry under the
# database root (same level as rootdn).
access to dn.subtree="dc=math,dc=gatech,dc=edu"
by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
by * read
# Then we grant access to read everything else.
access to *
by * read
On Thu, 11 Mar 2004, Howard Chu wrote:
> > -----Original Message-----
> > From: Diego Julian Remolina [mailto:dijuremo@math.gatech.edu]
>
> > Actually what you suggested is not really working, see my 2 cases. I
> > still need anonymous access to read entries for things like
> > phone numbers,
> > addresses, etc.
> >
> > Case 1. Using by * auth break on ou=People which you say
> > makes no sense
> > actually works.
> >
> > access to attrs=userPassword,sambaLMPassword,sambaNTPassword
> > by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
> > by * auth
> >
> > access to dn.children="ou=People,dc=math,dc=gatech,dc=edu"
> > attrs=sambaSamAccount
> > by dn.exact="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu"
> > write
> > by * auth break
> >
> > access to *
> > by * read
>
> This is a completely different situation from the ACL you posted before. If
> you want "by * read" then you should state that explicitly. Liberal use of
> "break" statements makes the flow of control difficult to understand, and you
> will regret it months from now when you need to make an update to your rules.
>
> access to attrs=userPassword
> by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
> by * auth
>
> access to dn.children="ou=People,dc=math,dc=gatech,dc=edu"
> attrs=sambaSamAccount
> by dn.exact="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
> by * read
>
> access to *
> by * read
>
> -- Howard Chu
> Chief Architect, Symas Corp. Director, Highland Sun
> http://www.symas.com http://highlandsun.com/hyc
> Symas: Premier OpenSource Development and Support
>