[Date Prev][Date Next] [Chronological] [Thread] [Top]

acls help

To: openldap-technical@openldap.org
Subject: acls help
From: Juliano Rodrigues <juliano@linuxclass.com.br>
Date: Tue, 20 Jul 2010 21:28:53 -0300
User-agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.10) Gecko/20100512 Thunderbird/3.0.5

Hello,

Im using Phamm, its an php-web front-end to manage ldap postfix virtualhosting mail env. at my Fedora 11 box (openldap 2.4.15-7).


Its designed to manage multi roles access:

Admin/Manager (full access)
postmaster (manage accounts under own domain)
account/user (manage own account only)

Install instructions from Phamm autor, recommends to do an include atend of slapd.conf to phamm.acl file.


But its not working here, only Admin or Manager (rootdn) can write changes.

User postmaster cannot write and account users have read only access aswell.

Below I post phamm.acl, Please, Can anyone help me with this aclsissue? Thanks! Juliano.


--- phamm.acl ---

access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$"attrs=userPassword

    by dn="cn=admin,dc=example,dc=tld" write
        by self write
        by anonymous auth

bydn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" write

        by set.expand="user/vd & [$1]" write

access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$"attrs=amavisBypassVirusChecks,quota,smtpAuth,accountActive

    by dn="cn=admin,dc=example,dc=tld" write
        by self read
        by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read
        by set.expand="user/editAccounts & [TRUE]" write

bydn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" read

        by set.expand="user/vd & [$1]" write

access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$"attrs=cn,sn,uid,forwardActive,vacationActive,vacationInfo,vacationStart,vacationEnd,vacationForward,amavisSpamTagLevel,amavisSpamTag2Level,amavisSpamKillLevel

    by dn="cn=admin,dc=example,dc=tld" write
        by self write
        by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read

bydn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" write

        by set.expand="user/vd & [$1]" write

access to dn.regex="^.*,vd=([^,]+),o=hosting,dc=example,dc=tld$"attrs=editAccounts

    by dn="cn=admin,dc=example,dc=tld" write
        by self read
        by set.expand="user/editAccounts & [TRUE]" write
        by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read
        by * none

access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$"attrs=objectClass,entry

    by dn="cn=admin,dc=example,dc=tld" write
        by self write
        by anonymous read
        by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read
        by set.expand="user/editAccounts & [TRUE]" write

bydn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" read

access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$"attrs=amavisBypassSpamChecks,accountActive,delete

    by dn="cn=admin,dc=example,dc=tld" write
        by self read
        by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read

bydn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" write

        by set.expand="user/vd & [$1]" write

access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$"attrs=otherPath

    by dn="cn=admin,dc=example,dc=tld" write
        by anonymous read
        by self read
        by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read

bydn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" read

        by set.expand="user/vd & [$1]" write

access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$"attrs=createMaildir,vdHome,mailbox,otherTransport

    by dn="cn=admin,dc=example,dc=tld" write
        by self read
        by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read
        by set.expand="user/vd & [$1]" read

access to dn.regex="^(.+,)?vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=vd
    by dn="cn=admin,dc=example,dc=tld" write
        by self write
        by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read

bydn.exact,expand="cn=postmaster,vd=$2,o=hosting,dc=example,dc=tld" write

        by set.expand="user/vd & [$2]" write

access to dn.regex="^(.+,)?vd=([^,]+),o=hosting,dc=example,dc=tld$"
    by dn="cn=admin,dc=example,dc=tld" write
        by self write
        by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read
        by set.expand="user/editAccounts & [FALSE]" read

bydn.exact,expand="cn=postmaster,vd=$2,o=hosting,dc=example,dc=tld" write

        by set.expand="user/vd & [$2]" write

access to dn.regex=".+,o=hosting,dc=example,dc=tld$"
    by dn="cn=admin,dc=example,dc=tld" write
        by self write
        by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read
        by anonymous auth

access to dn.regex=".+,dc=tld$"
        by dn="cn=admin,dc=example,dc=tld" write
        by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read
        by anonymous auth

access to dn.regex=".+,ou=admin,dc=example,dc=tld$" attrs=userPassword
    by dn="cn=admin,dc=example,dc=tld" write
        by self write
        by anonymous auth

access to dn.regex=".+,ou=admin,dc=example,dc=tld$" attrs=vd
    by dn="cn=admin,dc=example,dc=tld" write
        by self read

access to dn.regex="ou=admin,dc=example,dc=tld$"
    by dn="cn=admin,dc=example,dc=tld" write
        by self read

--- end ---

Follow-Ups:
- Re: acls help
  - From: Jonathan Clarke <jonathan@phillipoux.net>

Prev by Date: Re: OpenLDAP authenticate the username/password with MS-AD?
Next by Date: Re: acls help
Index(es):
- Chronological
- Thread