[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Access list - limiting access to attribute
> I need to limit access to mail-related attributes of my users' tree. I
> created the following acl entries:
>
> access to dn="ou=(groups|users|services),dc=one,dc=two,dc=com$$"
> attrs=mail
> by dn="cn=admin,dc=two,dc=com$$" write
> by self write
> by dn.base="uid=mailBrowser,ou=system,dc=one,dc=two,dc=com" read by
> dn.base="uid=usersBrowser,ou=system,dc=one,dc=two,dc=com" read
>
> access to dn="ou=(groups|users|services),dc=one,dc=two,dc=com$$"
> by dn="cn=admin,dc=two,dc=com$$" write
> by dn.base="uid=usersBrowser,ou=system,dc=one,dc=two,dc=com" read by
> self read
>
> But I still cannot make user "mailBrowser" to browse the attribute
> "mail". It cannot access it unless it is given same privileges as user
> "usersBrowser" has. But it can see all other attributes then.
If you use 2.2 you are not requesting regex dn match; 2.2. defaults to
exact, as clearly stated in the documentation (e.g. slapd.access(5)).
Also, you don't need the double '$$' at the end of the regex. It is only
needed in the <who> clause if using the regex style. Your ACLs shoudl
look like:
access to dn.regex="ou=(groups|users|services),dc=one,dc=two,dc=com$"
attrs=mail
by dn.exact="cn=admin,dc=two,dc=com" write
by self write
by dn.exact="uid=mailBrowser,ou=system,dc=one,dc=two,dc=com" read
by dn.exact="uid=usersBrowser,ou=system,dc=one,dc=two,dc=com" read
access to dn.regex="ou=(groups|users|services),dc=one,dc=two,dc=com$"
by dn.exact="cn=admin,dc=two,dc=com" write
by dn.exact="uid=usersBrowser,ou=system,dc=one,dc=two,dc=com" read
by self read
I assume you mean to allow access to the entire subtree, since the rules,
as written now, imply that a dn
cn=anything,ou=(groups|users|services),dc=one,dc=two,dc=com
would match. BTW, I really can't tell the difference between the <what>
clauses of either rule. They are exactly the same, aren't they?
p.
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it