[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL for object creation in subtree with specific attributes and object classes
On 05.08.2014, at 22:41, Simeon Ott <simeon.ott@onnet.ch> wrote:
> On 05.08.2014, at 18:03, Dieter Klünter <dieter@dkluenter.de> wrote:
>>>>>
>>>>> As postmaster I'm still able to add objects to it's domain. But I'm
>>>>> also able to add other objectclasses and attributes.
>>>>>
>>>>> I think I mess around with the attributes entry and children –
>>>>> anyone help me cleaning up? :-)
>>>>
>>>> run slapd in debugging mode acl and watch the rule number applied
>>>> to a write operation.
>>>>
>>>
>>> Okay, this didn't really help, but thanks anyway. I'm not familiar
>>> with reading those logs. i adjusted the loglevel to 128 to see the
>>> acl processing. but it's still a huge amount of log lines when adding
>>> such an ldif. i thought it's gonna be an easy task.
>>
>> I am talking about debugging, not logging!
>> man slapd(8)
>>
>
> can you help me finding the applied rule during the write process of an object with uid=1234? i used other objectclasses and attributes, which are not in the allowed attribute list. the debugging output is attached to this email. the current acl set is listed below.
>
> access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$" attrs=userPassword
> by dn.base="cn=admin,dc=mydomain" write
> by self write
> by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write
> by anonymous auth
> by * none
>
> access to attrs=userPassword
> by dn.base="cn=admin,dc=mydomain" write
> by self write
> by anonymous auth
> by * none
>
> access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$" attrs=@CourierMailAccount,@inetOrgPerson,@top,@Vacation,entry,cn,sn,homeDirectory,vacationActive,vacationInfo,vacationForward,smtpRelayFlag,description,displayName,givenName,homePhone,homePostalAddress,initials,mobile,postalAddress,postalCode,l,telephoneNumber,title
> by self write
> by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write
> by * read
>
> access to dn.regex="^ou=(.+),ou=domains,dc=mydomain$" attrs=children
> by dn.base,expand="cn=postmaster,ou=$1,ou=domains,dc=mydomain" write
> by * read
>
> access to *
> by dn.base="cn=admin,dc=mydomain" write
> by * read
>
> appreciate your help!
> simeon
>
> <debug_output_write.txt>
the filter statement below actually did the trick.
access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$" attrs=userPassword
by dn.base="cn=admin,dc=mydomain" write
by self write
by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write
by anonymous auth
by * none
access to attrs=userPassword by dn.base="cn=admin,dc=mydomain" write
by self write
by anonymous auth
by * none
access to dn.regex="^ou=(.+),ou=domains,dc=mydomain$" attrs=children
by dn.base,expand="cn=postmaster,ou=$1,ou=domains,dc=mydomain" write
by * read
access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$" attrs=entry,cn,uidNumber,gidNumber,sn,homeDirectory,vacationActive,vacationInfo,vacationForward,smtpRelayFlag,description,displayName,givenName,homePhone,homePostalAddress,initials,mobile,postalAddress,postalCode,l,telephoneNumber,title
filter="(&(objectClass=CourierMailAccount)(objectClass=inetOrgPerson)(objectClass=top)(objectClass=Vacation))"
by self write
by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write
by * read
access to *
by dn.base="cn=admin,dc=mydomain" write
by * read