[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL with val.regex expression



Hi all,

I'm banging my head against a wall trying to get one particular ACL
setup.  We want our users, with the exception of those that have a
restricted shell, to be able to change their own shell values.  A
typical user looks like:

dn: uid=user,ou=people,dc=cs,dc=brown,dc=edu
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: krb5Principal
objectClass: sambaSamAccount
objectClass: ownCloudUser
objectClass: mailUser
...
loginShell: /bin/bash

We'd ideally like to have an ACL in place that looks like:

access to dn.subtree="ou=people,dc=cs,dc=brown,dc=edu" attrs=loginShell
val.regex="/bin/[^f][^s][^h]"
  by ssf=128 self write
  by * read

The idea being that a user with a loginShell value of /bin/fsh would NOT
be allowed to change their shell value.  However, with this rule in
place, no user is able to change their shell value.  Even if I change
the rule to be:

access to dn.subtree="ou=people,dc=cs,dc=brown,dc=edu" attrs=loginShell
val.exact="/bin/bash"
  by ssf=128 self write
  by * read

users with loginShell of /bin/bash still can't change their own values.
 If I drop the val.<type>="<whatever>" restriction, users can change
their shell values just fine.  This the first time I've ever used and
ACL with a val.<type>= restriction, but I've scoured the internet and I
can't for the life of me figure out what I'm doing wrong.  I'm happy to
have someone here give me a dope slap... I'm just tired of the headaches ;)

Thanks!

Mark