[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Rights to create a new entry
Mailing List wrote:
After a lot of tries, I manage to autorise a user to
create a subentry of it own entry with the following
ACL :
access to dn.regex="[^,]+,(cn=[^,]+,ou=users,dc=ouba,dc=org)$"
attrs="children"
by anonymous none
by users none
access to dn.regex="[^,]+,(cn=[^,]+,ou=users,dc=ouba,dc=org)$"
by dn.exact,expand="$2" write
by anonymous none
by users none
Given the second rule, the above is irrelevant, because you're giving
write access to the "children" pseudo-attribute of something, but you're
not going to give write access to the "entry" pseudo-attribute of its
children... If you feel so pedantic, you should maybe consider that you
don't want to allow access of whatever stuff, do you? I suggest you
precisely list the attributes you want to allow.
In the second rule, the <by anonymous none>, <by users none> is
redundant; it can be summarized in <by * none>; but then it's
irrelevant, because this is the default behavior so you can omit
everything after the <by dn...> clause. However, this ACL setup is
still missing the access to the "children" pseudo-attribute of
"^cn=[^,]+,ou=users,dc=ouba,dc=org$", you won't be able to add any entry
without it.
Add a
access to dn.regex="^cn=[^,]+,ou=users,dc=ouba,dc=org$" attrs=children
by self write
directive to see it work.
The first one is
... useless ...
to autorise only one level because the second
one give implicit write permission to the children attribute.
Then, in order to modify easily the entry with phpldapadmin, I
have to add this ACL :
access to dn.base="cn=SubSchema"
attrs="objectClasses,attributeTypes,ldapSyntaxes"
by anonymous none
by users read
According to RFC 2251 (3.2.2. Subschema Entries and Subentries) the
server MUST give access to the values in the subschemaSubentry of the
entries whose modification is allowed, so that clients can see what's
the schema for the write operations they're going to perform. So, as
soon as an identity is allowed to perform a write operation, you must
give it access to the appropriate contents of the "cn=subschema".
Apparently, phpldapadmin is a wise client.
Now, I have a little problem, because in reality, when I look
for the log, it seems the $2 is not expanded correctly :
then use <by dn.regex="^$2$$" write>.
Note, however, that there is no #2 substring in your <what> pattern: I
only see one set of round brackets.
p.
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497