[Date Prev][Date Next] [Chronological] [Thread] [Top]

acl and regex



Hello everyone,

I have the folowing structure in my ldap tree:

                dc=com
                     |                  
                dc=example
                     |
                --------------------------------------------------------
                        /                       \                                \
                  ou=users                ou=addressbook  cn=admin
                   /       \
         uid(1)         uid(2)...
        /                       \
ou=addressbook     ou=addressbook

cn=admin (organizationalRole) 
uid=user1 (account, simpleSecurityObject)
ou=addressbook (organizationalUnit)

and I would like to achieve:
1) all users are able to write to (ou=addressbook,dc=example,dc=com), 
2) every user has his own private address book to which only he has access to
(ou=addressbook,uid=(.*),ou=users,dc=example,dc=com).

The following config allows all users to access  
(ou=addressbook,dc=example,dc=com) but nobody except 
(cn=admin,dc=example,dc=com) can access private address books. Why ?


######## slapd.conf ##########
...
#PASSWORDS
access to attrs=userPassword
        by dn="cn=admin,dc=example,dc=com" write
        by self write
        by anonymous    auth
        by * none

#PRIVATE ADDRESSBOOK
#access to dn.regex="^ou=addressbook,uid=([^,]+),ou=users,dc=example,dc=com$"
access  to dn.subtree="ou=addressbook,uid=(.*),ou=users,dc=example,dc=com"
        by dn="uid=$1,ou=users,dc=example,dc=com"   write
        by *                          read

#ADDRESSBOOK
access to dn.subtree="ou=addressbook,dc=example,dc=com"
        by users write
        by anonymous none

access to *
        by dn="cn=admin,dc=example,dc=com" write
        by * none

defaultaccess none
...
###########################


(And I have notice one other thing. If I try to search for a UserPassword the 
result is returned only to "cn=admin,dc=example,dc=com", that is all user 
passwords. If I try the same thing when I am logged in 
as "uid=user1,ou=users,dc=example,dc=com" I get an empty result set and not a 
password of a connected user.)

What am I doing wrong ? Thx in advance for answers.

btw: slapd 2.2.26 - kubuntu

regards, 
tomaz