[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL for object creation in subtree with specific attributes and object classes

To: openldap-technical@openldap.org
Subject: Re: ACL for object creation in subtree with specific attributes and object classes
From: Dieter Klünter <dieter@dkluenter.de>
Date: Wed, 6 Aug 2014 09:31:28 +0200
In-reply-to: <4F5AC79D-7091-4996-877B-959C79D52636@onnet.ch>
Organization: AVCI
References: <5AD7B8E9-A759-4A08-B170-4D5D7A52A538@onnet.ch> <20140805113928.220415a3@pink.avci.de> <60D690D2-E29C-4FFA-9ADA-4BDDC7C130D3@onnet.ch> <20140805150038.0e96e19a@pink.avci.de> <8AC5B367-7049-4319-9D05-ADFA006BE652@onnet.ch> <20140805180355.154f90ab@pink.avci.de> <4F5AC79D-7091-4996-877B-959C79D52636@onnet.ch>

Am Tue, 5 Aug 2014 22:41:54 +0200
schrieb Simeon Ott <simeon.ott@onnet.ch>:

> On 05.08.2014, at 18:03, Dieter Klünter <dieter@dkluenter.de> wrote:
> 
> 
> can you help me finding the applied rule during the write process of
> an object with uid=1234? i used other objectclasses and attributes,
> which are not in the allowed attribute list. the debugging output is
> attached to this email. the current acl set is listed below.
[...]
> access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$" attrs=@CourierMailAccount,@inetOrgPerson,@top,@Vacation,entry,cn,sn,homeDirectory,vacationActive,vacationInfo,vacationForward,smtpRelayFlag,description,displayName,givenName,homePhone,homePostalAddress,initials,mobile,postalAddress,postalCode,l,telephoneNumber,title
> by self write by
> dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write by
> * read
> 
> access to dn.regex="^ou=(.+),ou=domains,dc=mydomain$" attrs=children
> 	by
> dn.base,expand="cn=postmaster,ou=$1,ou=domains,dc=mydomain" write by
> * read

This 2 rule sets are applied, objectClasses are expanded and all
attribute types of this objectclassses are write allowed. the
restricting attribute types are not considered, as @<objectClass> is
applied and matched.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

References:
- ACL for object creation in subtree with specific attributes and object classes
  - From: Simeon Ott <simeon.ott@onnet.ch>
- Re: ACL for object creation in subtree with specific attributes and object classes
  - From: Dieter Klünter <dieter@dkluenter.de>
- Re: ACL for object creation in subtree with specific attributes and object classes
  - From: Simeon Ott <simeon.ott@onnet.ch>
- Re: ACL for object creation in subtree with specific attributes and object classes
  - From: Dieter Klünter <dieter@dkluenter.de>
- Re: ACL for object creation in subtree with specific attributes and object classes
  - From: Simeon Ott <simeon.ott@onnet.ch>
- Re: ACL for object creation in subtree with specific attributes and object classes
  - From: Dieter Klünter <dieter@dkluenter.de>
- Re: ACL for object creation in subtree with specific attributes and object classes
  - From: Simeon Ott <simeon.ott@onnet.ch>

Prev by Date: Re: slapd core dumps on ldap add
Next by Date: Re: translucent overlay add an attribute to all users in a OU and subtree
Index(es):
- Chronological
- Thread