[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Help for special ACL needed
Florian Götz <f.goetz@hs-mannheim.de> writes:
> A warm "Hello" from germany to the openldap-technical list!
>
> I´m rather new to OpenLDAP, using version 2.4.12 on a SLES11 server.
> I need to write an ACL which allows a user to see his own entry (objectClass
> build up on inetOrgPerson) and nothing else.
> I know that this isn´t the intended use of the LDAP system, but our manager
> wants it that way.
>
> I tried it with somekind of that:
>
> access to dn.regex="uid=([^,]+),dc=justushere,dc=de$" attrs=entry
> by dn.regex="uid=$1,ou=Users,dc=justushere,dc=de" write
> by users none
>
> but I just get a message about invalid credentials.
> Used command was:
> ldapsearch -xWD uid=user1,ou=users,dc=justushere,dc=de uid=user1
According to your ACL's a subtree search is not allowed.
>
> ldapsearch -xWD cn=admin,dc=justushere,dc=de uid=user1 with the rootdn
> account shows the information, but if the uid of the user1 is used for binding
> it fails.
>
> Has anyone an idea how to realize these restrictions?
access to dn.regex="^uid=([^,]+),dc=justushere,dc=de$"
attrs=entry,more attrs
by dn.exact,expand="uid=$1,ou=Users,dc=justushere,dc=de" write
by * none
ldapsearch - -xDW -b uid=user1,ou=users,dc=justushere,dc=de -s base
should do what you want.
-Dieter
--
Dieter Klünter | Systemberatung
http://www.dpunkt.de/buecher/2104.html
sip: +49.180.1555.7770535
GPG Key ID:8EF7B6C6
53°08'09,95"N
10°08'02,42"E