Re: ACL for only creating entry

["Pierangelo Masarati" <ando@sys-net.it>]

> I had to change the below ACL suggestion slightly, replacing your
> "exact" with "base" (otherwise openldap wouldn't accept it), but no
> success. The account webregister is not able to see any of the children
> entries in the diorectory, as intended, but it is not able to create
> them at all. I get permission denied's.
>
> # Forbid all access to individual users by WebRegister
> access to dn.regex="uid=(.+),ou=users,dc=theoretic,dc=com"
>  by dn.regex="uid=$1,ou=users,dc=theoretic,dc=com" read
>  by * none
>
> # Grant access to WebRegister to create new users,
> #  even if it can't see them (above ACL)
> access to dn.base="ou=users,dc=example,dc=com" attrs=children
>  by dn.base="uid=webregister,ou=services,dc=theoretic,dc=com" write by *
> none

The second ACL never gets caught bcause the first one intercepts
it (ACL evaluation goes from specific to generic and in order).

Try to elaborate on

# allow webregister to add a child to ou=users
access to dn.base="ou=users,dc=example,dc=com" attrs=children
    by dn.exact="uid=webregister,ou=services,dc=theoretic,dc=com" write
    by * none

# allow access to any user and its subtree by the user itself
# with read privileges and by webregister with write privileges
access to dn.regex="^(.*,)?uid=([^,]+),ou=users,dc=theoretic,dc=com$$"
    by dn.exact,expand="uid=$1,ou=users,dc=theoretic,dc=com" read
    by dn.exact="uid=webregister,ou=services,dc=theoretic,dc=com" write
    by * none

# or, allow access to any user by self with read privileges
# and by webregister with write privileges, if this is what you mean
access to dn.regex="^uid=([^,]+),ou=users,dc=theoretic,dc=com$$"
    by self read
    by dn.exact="uid=webregister,ou=services,dc=theoretic,dc=com" write
    by * none

p.
-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it