[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access list - limiting access to attribute



Pierangelo Masarati wrote:
I need to limit access to mail-related attributes of my users' tree. I
created the following acl entries:

access to dn="ou=(groups|users|services),dc=one,dc=two,dc=com$$"
  attrs=mail
  by dn="cn=admin,dc=two,dc=com$$" write
  by self write
  by dn.base="uid=mailBrowser,ou=system,dc=one,dc=two,dc=com" read by
dn.base="uid=usersBrowser,ou=system,dc=one,dc=two,dc=com" read

access to dn="ou=(groups|users|services),dc=one,dc=two,dc=com$$"
  by dn="cn=admin,dc=two,dc=com$$" write
  by dn.base="uid=usersBrowser,ou=system,dc=one,dc=two,dc=com" read by
self read

But I still cannot make user "mailBrowser" to browse the attribute
"mail". It cannot access it unless it is given same privileges as user
"usersBrowser" has. But it can see all other attributes then.


If you use 2.2 you are not requesting regex dn match; 2.2. defaults to
exact, as clearly stated in the documentation (e.g. slapd.access(5)). Also, you don't need the double '$$' at the end of the regex. It is only
needed in the <who> clause if using the regex style. Your ACLs shoudl
look like:

Currently I'm using 2.1.29.

access to dn.regex="ou=(groups|users|services),dc=one,dc=two,dc=com$"
   attrs=mail
   by dn.exact="cn=admin,dc=two,dc=com" write
   by self write
   by dn.exact="uid=mailBrowser,ou=system,dc=one,dc=two,dc=com" read
   by dn.exact="uid=usersBrowser,ou=system,dc=one,dc=two,dc=com" read

access to dn.regex="ou=(groups|users|services),dc=one,dc=two,dc=com$"
   by dn.exact="cn=admin,dc=two,dc=com" write
   by dn.exact="uid=usersBrowser,ou=system,dc=one,dc=two,dc=com" read
   by self read

I changed it this way but it didn't help. (read bellow)


I assume you mean to allow access to the entire subtree, since the rules, as written now, imply that a dn

    cn=anything,ou=(groups|users|services),dc=one,dc=two,dc=com

would match.  BTW, I really can't tell the difference between the <what>
clauses of either rule.  They are exactly the same, aren't they?

The difference is the first rule should define access to all attributes "mail" in the subtree. Maybe I'm wrong but I used the second rule to define the listed users' access to all other attributes except of "mail".


If I understand it right, the system first checks the first rule to see if I (mailBrowser user) have enough permission to access <what>. In first case the <what> only specifies access to "mail" attribute of objects in "ou=(groups|users|services),dc=one,dc=two,dc=com$" subtree. Access to other attributes I specified by the second rule.

Thank you .

--
Lukas Kubin

phone: +420596398275
email: kubin@opf.slu.cz

Information centre
The School of Business Administration in Karvina
Silesian University in Opava
Czech Republic
http://www.opf.slu.cz

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature