[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Rights to create a new entry

To: Mailing List <mailinglist@kikamedical.net>
Subject: Re: Rights to create a new entry
From: Pierangelo Masarati <ando@sys-net.it>
Date: Wed, 01 Dec 2004 17:18:08 +0100
Cc: OpenLDAP-software@OpenLDAP.org
References: <41ADCC33.8020100@kikamedical.net> <41ADDFC3.4040600@kikamedical.net>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

Mailing List wrote:

After a lot of tries, I manage to autorise a user to
create a subentry of it own entry with the following
ACL :
access to dn.regex="[^,]+,(cn=[^,]+,ou=users,dc=ouba,dc=org)$" attrs="children" by anonymous none by users none

access to dn.regex="[^,]+,(cn=[^,]+,ou=users,dc=ouba,dc=org)$" by dn.exact,expand="$2" write by anonymous none by users none

Given the second rule, the above is irrelevant, because you're giving write access to the "children" pseudo-attribute of something, but you're not going to give write access to the "entry" pseudo-attribute of its children... If you feel so pedantic, you should maybe consider that you don't want to allow access of whatever stuff, do you? I suggest you precisely list the attributes you want to allow.

In the second rule, the <by anonymous none>, <by users none> is redundant; it can be summarized in <by * none>; but then it's irrelevant, because this is the default behavior so you can omit everything after the <by dn...> clause. However, this ACL setup is still missing the access to the "children" pseudo-attribute of "^cn=[^,]+,ou=users,dc=ouba,dc=org$", you won't be able to add any entry without it.

Add a

access to dn.regex="^cn=[^,]+,ou=users,dc=ouba,dc=org$" attrs=children
       by self write

directive to see it work.

The first one is


... useless ...

to autorise only one level because the second
one give implicit write permission to the children attribute.
Then, in order to modify easily the entry with phpldapadmin, I
have to add this ACL :
access to dn.base="cn=SubSchema" attrs="objectClasses,attributeTypes,ldapSyntaxes" by anonymous none by users read

According to RFC 2251 (3.2.2. Subschema Entries and Subentries) the server MUST give access to the values in the subschemaSubentry of the entries whose modification is allowed, so that clients can see what's the schema for the write operations they're going to perform. So, as soon as an identity is allowed to perform a write operation, you must give it access to the appropriate contents of the "cn=subschema". Apparently, phpldapadmin is a wise client.

Now, I have a little problem, because in reality, when I look for the log, it seems the $2 is not expanded correctly :

then use <by dn.regex="^$2$$" write>.

Note, however, that there is no #2 substring in your <what> pattern: I only see one set of round brackets.

p.


   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

References:
- Rights to create a new entry
  - From: Mailing List <mailinglist@kikamedical.net>
- Re: Rights to create a new entry
  - From: Mailing List <mailinglist@kikamedical.net>

Prev by Date: Re: weird performance issue
Next by Date: Re: need solution for batch search
Index(es):
- Chronological
- Thread