[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap ACLS with regex



Thanks for the help, Pierangelo, but still not working

Pierangelo Masarati escreveu:
What about a brute force approach, piping /dev/random into slapd.conf?
How can I do this ?

Or, try (please replace "dc=suffix" with your suffix; I had to use it
otherwise my mailer would automatically wrap stuff)

# allow to write the "ou=ImPrefs" below self (must exist)
access to
dn.regex="^ou=ImPrefs,uid=([^,]+,ou=People,dc=suffix)$"
by dn.exact,expand="uid=$2" write
This isn't work, user1reads ImPrefs from others users and can't write self ImPrefs. But my follow regex works fine:

access  to dn.regex="^.*,uid=([^,]+),(.*),ou=People,dc=ucs,dc=br$"
       by dn.exact,expand="uid=$1,$2,ou=People,dc=ucs,dc=br"   write
       by *                                            none



# allow to create objects in one's addressbook (must exist)
access to
	dn.regex="cn=([^,]+),ou=PersonalAddressBook,dc=suffix$"
	attrs=children
	by dn.exact,expand="uid=$1,ou=People,dc=suffix" write

# allow to create objects in one's addressbook
access to
dn.regex="(.+,)?cn=([^,]+),ou=PersonalAddressBook,dc=suffix$"
by dn.exact,expand="uid=$2,ou=People,dc=suffix" write
I tried this and not work :-(

I tried also to adapt of my ldap estructure:

access to
       dn.regex="ou=([^,]+),cn=*,ou=PersonalAddressBook,dc=suffix$"
       by dn.exact,expand="uid=$1,*,ou=People,dc=ucs,dc=br" write


but not work. It's not so easy :-(

I note that if you need to do something special, like allow a user to
create the "ou=ImPrefs" entry, or the "cn=<uid>" entry in
"ou=PersonalAddressBook,dc=suffix", then you'll need more rules to allow
entry and children writing.

None work yet. I set debug ACL in my slapd.conf and get this log when I try to change self personaladdressbook whit the ACL:


access to
       dn.regex="ou=([^,]+),cn=*,ou=PersonalAddressBook,dc=suffix$"
       by dn.exact,expand="uid=$1,*,ou=People,dc=ucs,dc=br" write

LOG:
slapd[3497]: modifications:
slapd[3497]: ^Ireplace: mail
slapd[3497]: ^I^Ione value, length 14
slapd[3497]: conn=0 op=12 MOD dn="cn=foo bar,ou=user1,ou=PersonalAddressBook,dc=suffix"
slapd[3497]: conn=0 op=12 MOD attr=mail
slapd[3497]: bdb_dn2entry("cn=foo bar,ou=user1,ou=personaladdressbook,dc=suffix")
slapd[3497]: bdb_modify: cn=foo bar,ou=user1,ou=PersonalAddressBook,dc=suffix
slapd[3497]: bdb_dn2entry("cn=foo bar,ou=user1,ou=personaladdressbook,dc=suffix")
slapd[3497]: bdb_modify_internal: 0x00021fa3: cn=foo bar,ou=user1,ou=PersonalAddressBook,dc=suffix
slapd[3497]: => access_allowed: delete access to "cn=foo bar,ou=user1,ou=PersonalAddressBook,dc=suffix" "mail" requested
slapd[3497]: => dnpat: [4] ^.*,uid=([^,]+),(.*),ou=People,dc=suffix$ nsub: 2
slapd[3497]: => dnpat: [5] ou=([^,]+),cn=*,ou=PersonalAddressBook,dc=suffix$ nsub: 1
slapd[3497]: => acl_get: [6] attr mail
slapd[3497]: access_allowed: no res from state (mail)
slapd[3497]: => acl_mask: access to entry "cn=foo bar,ou=user1,ou=PersonalAddressBook,dc=suffix", attr "mail" requested
May 15 09:27:36 ops2 slapd[3497]: => acl_mask: to all values by "uid=user1,ou=npdu,ou=prad,ou=reit,ou=people,dc=suffix", (=0)
slapd[3497]: <= check a_dn_pat: *
slapd[3497]: <= acl_mask: [1] applying read(=rscxd) (stop)
slapd[3497]: <= acl_mask: [1] mask: read(=rscxd)
slapd[3497]: => access_allowed: delete access denied by read(=rscxd)
slapd[3497]: bdb_modify: modify failed (50)
slapd[3497]: send_ldap_result: conn=0 op=12 p=3
slapd[3497]: send_ldap_result: err=50 matched="" text=""
slapd[3497]: send_ldap_response: msgid=13 tag=103 err=50
slapd[3497]: conn=0 op=12 RESULT tag=103 err=50 text=



If you have more suggestions, please let me know.

--
Jeronimo Zucco
LPIC-1 Linux Professional Institute Certified
Núcleo de Processamento de Dados
Universidade de Caxias do Sul

http://jczucco.blogspot.com