[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access list - limiting access to attribute



> I need to limit access to mail-related attributes of my users' tree. I
> created the following acl entries:
>
> access to dn="ou=(groups|users|services),dc=one,dc=two,dc=com$$"
>    attrs=mail
>    by dn="cn=admin,dc=two,dc=com$$" write
>    by self write
>    by dn.base="uid=mailBrowser,ou=system,dc=one,dc=two,dc=com" read by
> dn.base="uid=usersBrowser,ou=system,dc=one,dc=two,dc=com" read
>
> access to dn="ou=(groups|users|services),dc=one,dc=two,dc=com$$"
>    by dn="cn=admin,dc=two,dc=com$$" write
>    by dn.base="uid=usersBrowser,ou=system,dc=one,dc=two,dc=com" read by
> self read
>
> But I still cannot make user "mailBrowser" to browse the attribute
> "mail". It cannot access it unless it is given same privileges as user
> "usersBrowser" has. But it can see all other attributes then.

If you use 2.2 you are not requesting regex dn match; 2.2. defaults to
exact, as clearly stated in the documentation (e.g. slapd.access(5)). 
Also, you don't need the double '$$' at the end of the regex.  It is only
needed in the <who> clause if using the regex style.  Your ACLs shoudl
look like:

access to dn.regex="ou=(groups|users|services),dc=one,dc=two,dc=com$"
   attrs=mail
   by dn.exact="cn=admin,dc=two,dc=com" write
   by self write
   by dn.exact="uid=mailBrowser,ou=system,dc=one,dc=two,dc=com" read
   by dn.exact="uid=usersBrowser,ou=system,dc=one,dc=two,dc=com" read

access to dn.regex="ou=(groups|users|services),dc=one,dc=two,dc=com$"
   by dn.exact="cn=admin,dc=two,dc=com" write
   by dn.exact="uid=usersBrowser,ou=system,dc=one,dc=two,dc=com" read
   by self read

I assume you mean to allow access to the entire subtree, since the rules,
as written now, imply that a dn

    cn=anything,ou=(groups|users|services),dc=one,dc=two,dc=com

would match.  BTW, I really can't tell the difference between the <what>
clauses of either rule.  They are exactly the same, aren't they?

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it