[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ldap ACLS with regex
Thanks for the help, Pierangelo, but still not working
Pierangelo Masarati escreveu:
What about a brute force approach, piping /dev/random into slapd.conf?
How can I do this ?
Or, try (please replace "dc=suffix" with your suffix; I had to use it
otherwise my mailer would automatically wrap stuff)
# allow to write the "ou=ImPrefs" below self (must exist)
access to
dn.regex="^ou=ImPrefs,uid=([^,]+,ou=People,dc=suffix)$"
by dn.exact,expand="uid=$2" write
This isn't work, user1reads ImPrefs from others users and can't write
self ImPrefs. But my follow regex works fine:
access to dn.regex="^.*,uid=([^,]+),(.*),ou=People,dc=ucs,dc=br$"
by dn.exact,expand="uid=$1,$2,ou=People,dc=ucs,dc=br" write
by * none
# allow to create objects in one's addressbook (must exist)
access to
dn.regex="cn=([^,]+),ou=PersonalAddressBook,dc=suffix$"
attrs=children
by dn.exact,expand="uid=$1,ou=People,dc=suffix" write
# allow to create objects in one's addressbook
access to
dn.regex="(.+,)?cn=([^,]+),ou=PersonalAddressBook,dc=suffix$"
by dn.exact,expand="uid=$2,ou=People,dc=suffix" write
I tried this and not work :-(
I tried also to adapt of my ldap estructure:
access to
dn.regex="ou=([^,]+),cn=*,ou=PersonalAddressBook,dc=suffix$"
by dn.exact,expand="uid=$1,*,ou=People,dc=ucs,dc=br" write
but not work. It's not so easy :-(
I note that if you need to do something special, like allow a user to
create the "ou=ImPrefs" entry, or the "cn=<uid>" entry in
"ou=PersonalAddressBook,dc=suffix", then you'll need more rules to allow
entry and children writing.
None work yet. I set debug ACL in my slapd.conf and get this log when I
try to change self personaladdressbook whit the ACL:
access to
dn.regex="ou=([^,]+),cn=*,ou=PersonalAddressBook,dc=suffix$"
by dn.exact,expand="uid=$1,*,ou=People,dc=ucs,dc=br" write
LOG:
slapd[3497]: modifications:
slapd[3497]: ^Ireplace: mail
slapd[3497]: ^I^Ione value, length 14
slapd[3497]: conn=0 op=12 MOD dn="cn=foo
bar,ou=user1,ou=PersonalAddressBook,dc=suffix"
slapd[3497]: conn=0 op=12 MOD attr=mail
slapd[3497]: bdb_dn2entry("cn=foo
bar,ou=user1,ou=personaladdressbook,dc=suffix")
slapd[3497]: bdb_modify: cn=foo
bar,ou=user1,ou=PersonalAddressBook,dc=suffix
slapd[3497]: bdb_dn2entry("cn=foo
bar,ou=user1,ou=personaladdressbook,dc=suffix")
slapd[3497]: bdb_modify_internal: 0x00021fa3: cn=foo
bar,ou=user1,ou=PersonalAddressBook,dc=suffix
slapd[3497]: => access_allowed: delete access to "cn=foo
bar,ou=user1,ou=PersonalAddressBook,dc=suffix" "mail" requested
slapd[3497]: => dnpat: [4] ^.*,uid=([^,]+),(.*),ou=People,dc=suffix$ nsub: 2
slapd[3497]: => dnpat: [5]
ou=([^,]+),cn=*,ou=PersonalAddressBook,dc=suffix$ nsub: 1
slapd[3497]: => acl_get: [6] attr mail
slapd[3497]: access_allowed: no res from state (mail)
slapd[3497]: => acl_mask: access to entry "cn=foo
bar,ou=user1,ou=PersonalAddressBook,dc=suffix", attr "mail" requested
May 15 09:27:36 ops2 slapd[3497]: => acl_mask: to all values by
"uid=user1,ou=npdu,ou=prad,ou=reit,ou=people,dc=suffix", (=0)
slapd[3497]: <= check a_dn_pat: *
slapd[3497]: <= acl_mask: [1] applying read(=rscxd) (stop)
slapd[3497]: <= acl_mask: [1] mask: read(=rscxd)
slapd[3497]: => access_allowed: delete access denied by read(=rscxd)
slapd[3497]: bdb_modify: modify failed (50)
slapd[3497]: send_ldap_result: conn=0 op=12 p=3
slapd[3497]: send_ldap_result: err=50 matched="" text=""
slapd[3497]: send_ldap_response: msgid=13 tag=103 err=50
slapd[3497]: conn=0 op=12 RESULT tag=103 err=50 text=
If you have more suggestions, please let me know.
--
Jeronimo Zucco
LPIC-1 Linux Professional Institute Certified
Núcleo de Processamento de Dados
Universidade de Caxias do Sul
http://jczucco.blogspot.com