[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL for object creation in subtree with specific attributes and object classes
Am Tue, 5 Aug 2014 13:39:13 +0200
schrieb Simeon Ott <simeon.ott@onnet.ch>:
> On 05.08.2014, at 11:39, Dieter Klünter <dieter@dkluenter.de> wrote:
>
> > Am Tue, 5 Aug 2014 09:41:36 +0200
> > schrieb Simeon Ott <simeon.ott@onnet.ch>:
> >
> >> […]
> >> by
> >> dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write
> >> by
> >> * read access to *
> >> by dn.base="cn=admin,dc=mydomain" write
> >> by * read
> >>
> >> ACL rule 4 allows the postmaster to add objects to it's "domain"
> >> without any restrictions. How can i restrict the object creation to
> >> specific object classes and attributes? Let's say postmaster should
> >> only be able to add objects like the following:
> > [...]
> > man slapd.access(5), the <WHAT> field: @<objectClass>
> >
> > -Dieter
> >
>
> Thanks Dieter, I tried the following already … instead of rule 3 and
> 4 i used the following:
>
> access to
> dn.regex="^(.+,)?ou=(.+),ou=domains,dc=intra,dc=onnet,dc=ch$"
> attrs=@CourierMailAccount,@inetOrgPerson,@top,@Vacation,entry,vacationInfo,smtpRelayFlag,description,vacationForward,displayName,givenName,homePhone,homePostalAddress,initials,mobile,postalAddress,postalCode,l,telephoneNumber,title
> by self write by
> dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=intra,dc=onnet,dc=ch"
> write by * read
>
> access to dn.regex="^ou=(.+),ou=domains,dc=intra,dc=onnet,dc=ch$"
> attrs=children by
> dn.base,expand="cn=postmaster,ou=$1,ou=domains,dc=intra,dc=onnet,dc=ch"
> write by * read
>
> As postmaster I'm still able to add objects to it's domain. But I'm
> also able to add other objectclasses and attributes.
>
> I think I mess around with the attributes entry and children –
> anyone help me cleaning up? :-)
run slapd in debugging mode acl and watch the rule number applied to a
write operation.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E