[Date Prev][Date Next] [Chronological] [Thread] [Top]
Re: Attribute scope of attr=entry in an ACL

To: "<"<openldap-software@OpenLDAP.org>
Subject: Re: Attribute scope of attr=entry in an ACL
From: "Mike O'Rourke" <mjoop@curia.op.org>
Date: Mon, 31 Mar 2003 19:17:46 +0200
Content-disposition: inline
>>>> Tony Earnshaw <tonni@billy.demon.nl> 03/31/03 04:18pm >>>
>man, 2003-03-31 kl. 06:39 skrev Ace Suares:
>
>> since you are giving a base that is 'higher' than the access rules
you have, 
>> it should be IMPOSSIBLE to travel 'down the tree. (At least, that's
what I 
>> understand of it.)
>
>That's what I've found too. That bit seems to be logical.

Indeed ... My post was already longer than I like to send, so I did not
include all of my ACLs. These are them: (btw, is there a way to use the
substitution $1, $2, $3 if I use globs and dn.subtree rather than regexs
and attr=children,entry in the access to part?)

access to dn="cn=([^,]+),ou=([^,]+),ou=([^,]+),o=people,o=company"
attr=userPassword
        by self write
        by group="cn=Admin,o=company" write
        by group="cn=Admin,o=people,o=company" write
        by group="cn=Admin,ou=$3,o=people,o=company" write
        by group="cn=Admin,ou=$2,ou=$3,o=people,o=company" write
        by * compare
access to dn="dc=([^,]+),ou=email,o=internet,o=company"
attr=userPassword
        by self write
        by group="cn=Admin,o=company" write
        by group="cn=Admin,o=internet,o=company" write
        by group="cn=Admin,ou=email,o=internet,o=company" write
        by group="cn=Admin,dc=$1,ou=email,o=internet,o=company" write
        by group="cn=MailServers,ou=email,o=internet,o=company" read
        by * compare
access to dn="cn=([^,]+),dc=([^,]+),ou=email,o=internet,o=company"
attr=userPassword
        by self write
        by group="cn=Admin,o=company" write
        by group="cn=Admin,o=internet,o=company" write
        by group="cn=Admin,ou=email,o=internet,o=company" write
        by group="cn=Admin,dc=$2,ou=email,o=internet,o=company" write
        by group="cn=MailServers,ou=email,o=internet,o=company" read
        by * compare
access to dn.subtree="ou=hosts,o=internet,o=company" attr=userPassword
        by self write
        by group="cn=Admin,o=company" write
        by group="cn=Admin,o=internet,o=company" write
        by group="cn=Admin,ou=hosts,o=internet,o=company" write
        by * compare
access to * attr=userPassword
        by group="cn=Admin,o=company" write
access to dn="cn=Address Book,o=people,o=company" attrs=children,entry
        by group="cn=Admin,o=company" write
        by group="cn=Admin,o=people,o=company" write
        by dn.children="o=people,o=company" read
access to dn="cn=Address Book,ou=([^,]+),o=people,o=company"
attrs=children,entry
        by group="cn=Admin,o=company" write
        by group="cn=Admin,o=people,o=company" write
        by group="cn=Admin,ou=$1,o=people,o=company" write
        by dn.children="ou=$1,o=people,o=company" read
access to dn="cn=Address Book,ou=([^,]+),ou=([^,]+),o=people,o=company"
attrs=childre
n,entry
        by group="cn=Admin,o=company" write
        by group="cn=Admin,o=people,o=company" write
        by group="cn=Admin,ou=$2,o=people,o=company" write
        by group="cn=Admin,ou=$1,ou=$2,o=people,o=company" write
        by dn.children="ou=$1,ou=$2,o=people,o=company" read
access to dn="cn=([^,]+),ou=([^,]+),ou=([^,]+),o=people,o=company"
attr=children
        by self write
        by group="cn=Admin,o=company" write
        by group="cn=Admin,o=people,o=company" write
        by group="cn=Admin,ou=$3,o=people,o=company" write
        by group="cn=Admin,ou=$2,ou=$3,o=people,o=company" write
        by dn="cn=$1,ou=$2,ou=$3,o=people,o=company" write
access to dn="cn=([^,]+),ou=([^,]+),ou=([^,]+),o=people,o=company"
attr=entry
        by self write
        by group="cn=Admin,o=company" write
        by group="cn=Admin,o=people,o=company" write
        by group="cn=Admin,ou=$3,o=people,o=company" write
        by group="cn=Admin,ou=$2,ou=$3,o=people,o=company" write
        by users read
        by * auth
access to dn="ou=([^,]+),ou=([^,]+),o=people,o=company"
attrs=children,entry
        by group="cn=Admin,o=company" write
        by group="cn=Admin,o=people,o=company" write
        by group="cn=Admin,ou=$2,o=people,o=company" write
        by group="cn=Admin,ou=$1,ou=$2,o=people,o=company" write
        by users read
        by * auth
access to dn="dc=([^,]+),ou=email,o=internet,o=company"
attrs=children,entry
        by self write
        by group="cn=Admin,o=company" write
        by group="cn=Admin,o=internet,o=company" write
        by group="cn=Admin,ou=email,o=internet,o=company" write
        by group="cn=Admin,dc=$1,ou=email,o=internet,o=company" write
        by * auth
access to dn.subtree="ou=hosts,o=internet,o=company"
        by self write
        by group="cn=Admin,o=company" write
        by group="cn=Admin,o=internet,o=company" write
        by group="cn=Admin,ou=hosts,o=internet,o=company" write
        by * auth
access to dn.subtree="o=internet,o=company"
        by self write
        by group="cn=Admin,o=company" write
        by group="cn=Admin,o=internet,o=company" write
access to dn="ou=([^,]+),ou=([^,]+),o=([^,]+),o=company"
attrs=children,entry
        by self write
        by group="cn=Admin,o=company" write
        by group="cn=Admin,o=$3,o=company" write
        by group="cn=Admin,ou=$2,o=$3,o=company" write
        by group="cn=Admin,ou=$1,ou=$2,o=$3,o=company" write
        by users read
access to dn="ou=([^,]+),o=([^,]+),o=company" attrs=children,entry
        by self write
        by group="cn=Admin,o=company" write
        by group="cn=Admin,o=$2,o=company" write
        by group="cn=Admin,ou=$1,o=$2,o=company" write
        by users read
access to dn="o=([^,]+),o=company" attrs=children,entry
        by self write
        by group="cn=Admin,o=company" write
        by group="cn=Admin,o=$1,o=company" write
        by users read
access to dn="o=company" attrs=children,entry
        by self write
        by group="cn=Admin,o=company" write
        by users read
        by * auth

>
>> I tested with a very very simple ACL. Maybe that's good for you too.
Just make 
>> up ONE ACL that's very very simple and that restrcits access to the
first 
>> level. Then add rules and see what changes. And tell us !
(Especially if you 
>> solved it !)

I did that also, but I just can't get these to work. Looking at the
output of slapd -d -1, when "attr=entry" is not on the one line <access
to dn="cn=([^,]+),ou=([^,]+),ou=([^,]+),o=people,o=company" attr=entry>,
the search is accepted there. With "attr=entry" present, it is the same
as with all the other matches -- no joy.

>
>I do what Mike wants, and my method works for me. My problem is that
>regexes for Openldap do not seem to work like any other regexes on
this
>earth. Like SpamAssassin Perl regexes follow *completely* the Perl
>manuals and *always* work like one supposes they should. Openldap
>regexes need a fairy with a magic wand to make work and defy all
logic.
>However, the good news is, that they work in the end. Though how I
still
>don't know.
>
>Anybody wants to write off list, I'll give him my method; if I post
it
>here, I'll get shot down in flames; life is already difficult enough.

Let's see ... what was that e-mail address again??

>
>Best,
>
>Tony
>
>-- 
>
>Tony Earnshaw
>sny" attr=entry
        by self
>e-post:		      by self write
       tonni@billy.demon.nl 
>www:		http://www.billy.demon.nl
Prev by Date: RE: configure: warning: Could not locate TLS/SSL package.
Next by Date: RE: configure: warning: Could not locate TLS/SSL package.
Index(es):
- Chronological
- Thread