[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: acls help

To: openldap-technical@openldap.org
Subject: Re: acls help
From: Juliano Rodrigues <juliano@linuxclass.com.br>
Date: Wed, 21 Jul 2010 09:29:52 -0300
In-reply-to: <4C46B0E7.7050808@phillipoux.net>
References: <4C463F45.7050803@linuxclass.com.br> <4C46B0E7.7050808@phillipoux.net>
User-agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.10) Gecko/20100512 Thunderbird/3.0.5

On 21/07/10 05:33, Jonathan Clarke wrote:

On 21/07/2010 02:28, Juliano Rodrigues wrote:

Hello,

Im using Phamm, its an php-web front-end to manage ldap postfix virtual
hosting mail env. at my Fedora 11 box (openldap 2.4.15-7).

Its designed to manage multi roles access:

Admin/Manager (full access)
postmaster (manage accounts under own domain)
account/user (manage own account only)

Install instructions from Phamm autor, recommends to do an include at
end of slapd.conf to phamm.acl file.

But its not working here, only Admin or Manager (rootdn) can writechanges.


User postmaster cannot write and account users have read only access as
well.

Below I post phamm.acl, Please, Can anyone help me with this acls issue?


A few suggestions:

- Have you modified phamm.acl to contain your DN suffix instead ofdc=example,dc=tld?- ACLs are treated in order, and the first that matches wins. Do youhave any other ACLs in your slapd.conf, before this include? If so,you need to adapt them to fit in with this one.


Hope this helps,
Jonathan


--- phamm.acl ---

access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$"
attrs=userPassword
by dn="cn=admin,dc=example,dc=tld" write
by self write
by anonymous auth

by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld"write

by set.expand="user/vd & [$1]" write

access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$"
attrs=amavisBypassVirusChecks,quota,smtpAuth,accountActive
by dn="cn=admin,dc=example,dc=tld" write
by self read
by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read
by set.expand="user/editAccounts & [TRUE]" write

by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld"read

by set.expand="user/vd & [$1]" write

access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$"

attrs=cn,sn,uid,forwardActive,vacationActive,vacationInfo,vacationStart,vacationEnd,vacationForward,amavisSpamTagLevel,amavisSpamTag2Level,amavisSpamKillLevel


by dn="cn=admin,dc=example,dc=tld" write
by self write
by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read

by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld"write

by set.expand="user/vd & [$1]" write

access to dn.regex="^.*,vd=([^,]+),o=hosting,dc=example,dc=tld$"
attrs=editAccounts
by dn="cn=admin,dc=example,dc=tld" write
by self read
by set.expand="user/editAccounts & [TRUE]" write
by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read
by * none

access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$"
attrs=objectClass,entry
by dn="cn=admin,dc=example,dc=tld" write
by self write
by anonymous read
by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read
by set.expand="user/editAccounts & [TRUE]" write

by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld"read


access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$"
attrs=amavisBypassSpamChecks,accountActive,delete
by dn="cn=admin,dc=example,dc=tld" write
by self read
by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read

by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld"write

by set.expand="user/vd & [$1]" write

access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$"
attrs=otherPath
by dn="cn=admin,dc=example,dc=tld" write
by anonymous read
by self read
by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read

by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld"read

by set.expand="user/vd & [$1]" write

access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$"
attrs=createMaildir,vdHome,mailbox,otherTransport
by dn="cn=admin,dc=example,dc=tld" write
by self read
by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read
by set.expand="user/vd & [$1]" read

access to dn.regex="^(.+,)?vd=([^,]+),o=hosting,dc=example,dc=tld$"
attrs=vd
by dn="cn=admin,dc=example,dc=tld" write
by self write
by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read

by dn.exact,expand="cn=postmaster,vd=$2,o=hosting,dc=example,dc=tld"write

by set.expand="user/vd & [$2]" write

access to dn.regex="^(.+,)?vd=([^,]+),o=hosting,dc=example,dc=tld$"
by dn="cn=admin,dc=example,dc=tld" write
by self write
by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read
by set.expand="user/editAccounts & [FALSE]" read

by dn.exact,expand="cn=postmaster,vd=$2,o=hosting,dc=example,dc=tld"write

by set.expand="user/vd & [$2]" write

access to dn.regex=".+,o=hosting,dc=example,dc=tld$"
by dn="cn=admin,dc=example,dc=tld" write
by self write
by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read
by anonymous auth

access to dn.regex=".+,dc=tld$"
by dn="cn=admin,dc=example,dc=tld" write
by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read
by anonymous auth

access to dn.regex=".+,ou=admin,dc=example,dc=tld$" attrs=userPassword
by dn="cn=admin,dc=example,dc=tld" write
by self write
by anonymous auth

access to dn.regex=".+,ou=admin,dc=example,dc=tld$" attrs=vd
by dn="cn=admin,dc=example,dc=tld" write
by self read

access to dn.regex="ou=admin,dc=example,dc=tld$"
by dn="cn=admin,dc=example,dc=tld" write
by self read

--- end ---

Im using for test propose this DN suffix dc=example,dc=tld at this firstmoment.


There is no other acls in my slapd.conf.

Why postmaster and users cannot write changes? Thanks

Follow-Ups:
- Re: acls help
  - From: Jonathan Clarke <jonathan@phillipoux.net>

References:
- acls help
  - From: Juliano Rodrigues <juliano@linuxclass.com.br>
- Re: acls help
  - From: Jonathan Clarke <jonathan@phillipoux.net>

Prev by Date: Re: acls help
Next by Date: Design question
Index(es):
- Chronological
- Thread