[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: I'm completely confused by ACLs ... @-)
On 16/11/10 10:51 +0100, Götz Reinicke - IT-Koordinator wrote:
it should be so simple ... I thought.
At first some things worked, but than I messed something up and now I'm
completely confused.
What I want (sooner or later):
- users should authenticate using posix and samba accounts.
- they may change there password.
- they may look up other mail, phone, ... addresses in the ldap using
Thunderbird or apple Addressbook
- they may change there phone number and (may be) there postal address
- admin users should be able to write and read everything.
- anonymous users may later read the mail and cn/sn attribute.
May be someone has such ACLs already set up and like to share them or
can help me?
Would be great, cause reading the docs and experiment is helpful, but I
did not ended in a working secure, flexible, understandable setup.
We haven't deployed address books, but you might still find our approach
useful as a starting point. We intend to provide individual address books
for users to manage themselves, but we do not allow users to search for or
find other users. I've cut out all the group/admin related configuration
for simplicity.
access to dn.regex="ou=addressbook,uid=([^,]+),ou=people,dc=example,dc=net$"
by dn.regex="uid=$1,ou=people,dc=example,dc=net" write
by * none
access to dn.regex=".*,ou=addressbook,uid=([^,]+),ou=people,dc=example,dc=net$"
by dn.regex="uid=$1,ou=people,dc=example,dc=net" write
by * none
access to dn.base="ou=people,dc=example,dc=net"
by anonymous auth
by users read
by * none
access to dn.base="ou=groups,dc=example,dc=net"
by users read
by * none
access to dn.base="ou=aliases,dc=example,dc=net"
by anonymous auth
by users read
by * none
access to attrs=userPassword,shadowLastChange,sambaPwdLastSet,sambaLMPassword,sambaNTPassword,krb5KeyVersio
nNumber,krb5Key,cmusaslsecretOTP
by anonymous auth
by self write
by * none
access to attrs=authzTo
by anonymous auth
by self read
by * none
access to attrs=objectClass
by anonymous auth
by self read
by * none
access to attrs=entry,uidNumber
by anonymous auth
by self read
by * none
access to dn.base="" by * read
--
Dan White