I need to limit access to mail-related attributes of my users' tree. I created the following acl entries:
access to dn="ou=(groups|users|services),dc=one,dc=two,dc=com$$" attrs=mail by dn="cn=admin,dc=two,dc=com$$" write by self write by dn.base="uid=mailBrowser,ou=system,dc=one,dc=two,dc=com" read by dn.base="uid=usersBrowser,ou=system,dc=one,dc=two,dc=com" read
access to dn="ou=(groups|users|services),dc=one,dc=two,dc=com$$" by dn="cn=admin,dc=two,dc=com$$" write by dn.base="uid=usersBrowser,ou=system,dc=one,dc=two,dc=com" read by self read
But I still cannot make user "mailBrowser" to browse the attribute "mail". It cannot access it unless it is given same privileges as user "usersBrowser" has. But it can see all other attributes then.
If you use 2.2 you are not requesting regex dn match; 2.2. defaults to
exact, as clearly stated in the documentation (e.g. slapd.access(5)). Also, you don't need the double '$$' at the end of the regex. It is only
needed in the <who> clause if using the regex style. Your ACLs shoudl
look like:
Currently I'm using 2.1.29.
access to dn.regex="ou=(groups|users|services),dc=one,dc=two,dc=com$" attrs=mail by dn.exact="cn=admin,dc=two,dc=com" write by self write by dn.exact="uid=mailBrowser,ou=system,dc=one,dc=two,dc=com" read by dn.exact="uid=usersBrowser,ou=system,dc=one,dc=two,dc=com" read
access to dn.regex="ou=(groups|users|services),dc=one,dc=two,dc=com$" by dn.exact="cn=admin,dc=two,dc=com" write by dn.exact="uid=usersBrowser,ou=system,dc=one,dc=two,dc=com" read by self read
I changed it this way but it didn't help. (read bellow)
I assume you mean to allow access to the entire subtree, since the rules, as written now, imply that a dn
cn=anything,ou=(groups|users|services),dc=one,dc=two,dc=com
would match. BTW, I really can't tell the difference between the <what> clauses of either rule. They are exactly the same, aren't they?
Thank you .
-- Lukas Kubin
phone: +420596398275 email: kubin@opf.slu.cz
Information centre The School of Business Administration in Karvina Silesian University in Opava Czech Republic http://www.opf.slu.cz
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature