[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ACL with val.regex expression
- To: openldap-technical@openldap.org
- Subject: ACL with val.regex expression
- From: Mark Dieterich <mkd@cs.brown.edu>
- Date: Fri, 11 Oct 2013 16:35:34 -0400
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
Hi all,
I'm banging my head against a wall trying to get one particular ACL
setup. We want our users, with the exception of those that have a
restricted shell, to be able to change their own shell values. A
typical user looks like:
dn: uid=user,ou=people,dc=cs,dc=brown,dc=edu
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: krb5Principal
objectClass: sambaSamAccount
objectClass: ownCloudUser
objectClass: mailUser
...
loginShell: /bin/bash
We'd ideally like to have an ACL in place that looks like:
access to dn.subtree="ou=people,dc=cs,dc=brown,dc=edu" attrs=loginShell
val.regex="/bin/[^f][^s][^h]"
by ssf=128 self write
by * read
The idea being that a user with a loginShell value of /bin/fsh would NOT
be allowed to change their shell value. However, with this rule in
place, no user is able to change their shell value. Even if I change
the rule to be:
access to dn.subtree="ou=people,dc=cs,dc=brown,dc=edu" attrs=loginShell
val.exact="/bin/bash"
by ssf=128 self write
by * read
users with loginShell of /bin/bash still can't change their own values.
If I drop the val.<type>="<whatever>" restriction, users can change
their shell values just fine. This the first time I've ever used and
ACL with a val.<type>= restriction, but I've scoured the internet and I
can't for the life of me figure out what I'm doing wrong. I'm happy to
have someone here give me a dope slap... I'm just tired of the headaches ;)
Thanks!
Mark