[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL Help - detailed information follows

To: Terry <td3201@gmail.com>
Subject: Re: ACL Help - detailed information follows
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Thu, 16 Feb 2006 14:56:13 -0800
Cc: OpenLDAP-software@OpenLDAP.org
In-reply-to: <8ee061010602161405j5dc1431bmd87dddd6cd1c9e8@mail.gmail.com >
References: <8ee061010602161405j5dc1431bmd87dddd6cd1c9e8@mail.gmail.com>

At 02:05 PM 2/16/2006, Terry wrote:
>I am trying to write to an entry.   Here is my log:
>
>Feb 16 15:57:18 localhost slapd[26992]: => acl_mask: access to entry
>"uid=39,ou=addr,uid=joe,ou=Users,ou=OxObjects,dc=domain,dc=net", attr
>"telephoneNumber" requested

   by <uid=joe,ou=Users,ou=OxObjects,dc=domain,dc=net>.

>Here is my acl config:
>
>access to dn.base="" by * read

n/a

>access to dn.base="cn=Subschema" by * read

n/a


># protect the userPassword attribute
>access to attr=userPassword
>    by self =w
>    by anonymous auth

n/a


># global address book
>access to dn.subtree="o=AddressBook,ou=OxObjects,dc=domain,dc=net"
>    by group.exact="cn=AddressAdmins,o=AddressBook,ou=OxObjects,dc=domain,dc=net"
>write
>    by users read

n/a


># personal address book
>access to dn.regex="^ou=addr,(uid=([^,]+),ou=Users,ou=OxObjects,dc=domain,dc=net)$"
>attrs=children
>    by dn.exact,expand="$1" write

n/a


>access to dn.regex="^uid=([^,]+),ou=addr,(uid=([^,]+),ou=Users,ou=OxObjects,dc=domain,dc=net)$"
>attrs=entry
>    by dn.exact,expand="$2" write

n/a


># default rule allowing users full access to their own entries
>access to *
>    by self write
>    by users read

applicable.  target not subject, subject is authenticated, so read
should be granted.

>Feb 16 15:57:18 localhost slapd[26992]: => access_allowed: write
>access denied by read(=rscx)

References:
- ACL Help - detailed information follows
  - From: Terry <td3201@gmail.com>

Prev by Date: Re: LDAP Client API
Next by Date: Converting slapd.conf to slapd.d
Index(es):
- Chronological
- Thread