[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Problem with ACL and regex
> Hey Pierangelo,
>
> thank you for your fast reply... I just modified my configuration but I
> still have the same result both admin and normal users only have access
> to the global directory (ou=company-adressbook,dc=cw).
>
> Any other ideas ?
That you clarify where the address book is (the full DN)
and who should be allowed to access it. In detail, what
groups have to do with it.
p.
>
> Thanks a lot Michael
>
>> this should be
>>
>> access to * attrs=userPassword
>> by self write
>> by dn.exact="cn=admin,ou=user,dc=cw" write
>> by anonymous auth
>>
>> Note that if "cn=admin,ou=user,dc=cw" is your rootdn
>> you don't need the second "by" clause, it's implicit.
> Hmm I don´t really understand. I thought this would only my rootdn when
> binding with this specific dn...
>
>
>>> # User s only allowed to access subfolder of himself
>>>
>>> access to dn.regex="^cn=[^,],ou=user,dc=cw" attrs=children
>>> by group.regex="cn=$1,ou=user,dc=cw" read
>>> by group.regex="cn=$1,ou=user,dc=cw" search
>>
>> This should be
>>
>> access to dn.regex="^cn=([^,]+),ou=user,dc=cw$$" attrs=children
>> by group.regex="cn=$1,ou=user,dc=cw" read
>> by group.regex="cn=$1,ou=user,dc=cw" search
>>
>>> # Admin should have Access rights to write everywhere
>>> access to *
>>> by dn="cn=admin,ou=users,dc=cw" write
>>
>> Again, note that if "cn=admin,ou=user,dc=cw" is your
>> rootdn you don't need to mention it in "by" clauses.
>>
>> Something might be missing to obtain what you want;
>> I note that the ACL about groups is a bit curious:
>> you're allowing everybody to read access their own
>> entry as if it were a group; the two "by" clauses
>> have exactly the same pattern but different access
>> privileges. I think you should review the way
>> groups are intended to work.
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it