[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem with ACL and regex

> Hi,
>
> removing the break leads to the right direction. Now a normal user can
> access

^^^ what access level? read? write?

> the global book and his own user level (only his own) but - as
> last error he can´t access his private addressbook under his user level
> (cn=mmaier,ou=user,dc=cw is accessible but not
> (ou=addressbook,cn=mmaier,ou=user,dc=cw). I´ve played again with the
> options for hours today but I have really problems understanding how
> these ACLs should work...
>
> So my actual config is:
>
> -------------
>
> access to dn.regex="cn=(.+),ou=user,dc=cw"
>          by self write
>          by dn="cn=admin,ou=user,dc=cw" write
>          by * auth
> access to dn.regex="ou=addressbook,cn=(.+),ou=user,dc=cw"
>          by self write
>          by dn="cn=admin,ou=user,dc=cw" write
>          by * auth
> access to attribute=userPassword
>         by self write
>         by dn="cn=admin,ou=user,dc=cw" write
>         by anonymous auth
> access to dn="ou=company-addressbook,dc=cw"
>         by dn="cn=admin,ou=user,dc=cw" write
>         by users read
>         by users search
>
> access to *
>         by dn="cn=admin,ou=users,dc=cw" write
>         by users read

let me rearrange your rules:

access to attrs=userPassword
        by self write
        by dn="cn=admin,ou=user,dc=cw" write
        by anonymous auth

# this is a bit dangerous: a user is allowed
# to __WRITE__ everything of its own entry
access to dn.regex="cn=.+,ou=user,dc=cw"
        by self write
        by dn="cn=admin,ou=user,dc=cw" write
        by * none

# same as above; BTW: this is the parent
# of the actual address book entries, right?
access to dn.regex="ou=addressbook,cn=([^,]+),ou=user,dc=cw"
        by dn.exact,expand="cn=$1,ou=user,dc=cw" write
        by dn="cn=admin,ou=user,dc=cw" write
        by * none

# warning, this is implied by the rule below
access to dn="ou=company-addressbook,dc=cw"
        by dn="cn=admin,ou=user,dc=cw" write
        by users read
        by * none

access to *
        by dn="cn=admin,ou=users,dc=cw" write
        by users read
        by * none

If you want to allow users to read/write their own address book, which, I
assume, means append entries below
"ou=addressbook,cn=([^,]+),ou=user,dc=cw" you need to do:

# allow everybody to try to bind
access to attrs=userPassword
        by self write
        by dn.exact="cn=admin,ou=user,dc=cw" write
        by anonymous auth

# give read access to one's entry to himself only
access to dn.regex="^cn=([^,]+)ou=user,dc=cw$$"
        by self read
        by dn.exact="cn=admin,ou=user,dc=cw" write
        by * none

# allow one to create chidren of its own addressbook
access to dn.regex="^ou=addressbook,cn=([^,]+),ou=user,dc=cw$$"
                attrs=children
        by dn.exact,expand="cn=$1,ou=user,dc=cw" write
        by dn.exact="cn=admin,ou=user,dc=cw" write
        by * none

# allow one to create entries in its own addressbook
access to dn.regex="[^,]+,ou=addressbook,cn=([^,]+),ou=user,dc=cw$$"
                attrs=entry,<list what attributes one needs to write>
        by dn.exact,expand="cn=$1,ou=user,dc=cw" write
        by dn.exact="cn=admin,ou=user,dc=cw" write
        by * none

# allow everybody to read everything else, including
# the company-wide addressbook
access to *
        by dn.exact="cn=admin,ou=users,dc=cw" write
        by users read
        by * none

Please replace the <list what attributes one needs to write> with
whatever you want to allow one to write; or, if you basically want
to allow to write all the attributes allowed by a specific
objectClass, say "inetOrgPerson", you can use "@inetOrgPerson";
don't forget to list the pseudo-attribute "entry".

p.

>
> ---
>
> The only thing which is still missing is the user access to their
> phonebooks which currently does not work.
>
> These ACL drive me crazy - if anybody has a clue on how to fix that
> problem please tell me...
>
> Thank you in advance
>
> Michael
>
>>> > #Order matters put the entries I suggested first
>>
>>> > access to dn.regex="cn=(.+),ou=user,dc=cw"
>>> >     by self read
>>> >     by dn="cn=admin,ou=user,dc=cw" write
>>         by * auth
>> Remove break at the end of the line above.
>>
>> The way acls work (or at least the behaviour I have noticed) is that
>> when you match one acl then it stops checking,
>> so if you use break at the end it will keep on going to the next acl.
>> In my setup I first restrict everything I want to restrict and later
>> on I allow access to the rest.
>>
>> The other thing you can try is to leave it as is but then on the last
>> line change of the config to:  access to * by users search
>> instead of access to * by users read
>>
>>> > access to dn.regex="ou=addressbok,cn=(.+),ou=user,dc=cw"
>>> >     by self write
>>> >     by dn="cn=admin,ou=user,dc=cw" write
>>> >     by * auth
>>> > # Remove the * that you had in this line
>>> > access to attribute=userPassword
>>> >     by self write
>>> >         by dn="cn=admin,ou=user,dc=cw" write
>>> >         by anonymous auth
>>> > access to dn="ou=company-addressbook,dc=cw"
>>> >         by dn="cn=admin,ou=user,dc=cw" write
>>> >         by users read
>>> >         by users search
>>> > access to *
>>> >         by dn="cn=admin,ou=users,dc=cw" write
>>> >         by users read
>>
>>
>>
>> Diego
>>
>>
>> On Wed, 10 Mar 2004, Michael Hamann wrote:
>>
>>> Hey Diego,
>>>
>>> thank you for your answer. Now a normal User can see the global
>>> addressbook but also all books of the other users. Except of the
>>> userPassword Field I can access all attributes under the
>>> ou=user,dc=cw tree...
>>>
>>> I found out that when I comment out the last line of your config (the
>>> access to * by users read) then the user has only access to the
>>> global area. So it seems to me that the earlier rules are not fully
>>> recognized -
>>> which I do not really understand why...
>>>
>>> Michael
>>>
>>> >> >> As commented in my slapd.conf file I want:
>>> >> >>
>>> >> >> - every authorized user to read the global addressbook
>>> >> >> - admin should have right to write everywhere
>>> >> >> - the users should be able to update their own addressbook
>>> under
>>> >> >>   there own tree.
>>> >> >>
>>> >
>>> > #Order matters put the entries I suggested first
>>> > access to dn.regex="cn=(.+),ou=user,dc=cw"
>>> >  	by self read
>>> >  	by dn="cn=admin,ou=user,dc=cw" write
>>> >  	by * auth break
>>> > access to dn.regex="ou=addressbok,cn=(.+),ou=user,dc=cw"
>>> >  	by self write
>>> >  	by dn="cn=admin,ou=user,dc=cw" write
>>> >  	by * auth
>>> > # Remove the * that you had in this line
>>> > access to attribute=userPassword
>>> > 	by self write
>>> >         by dn="cn=admin,ou=user,dc=cw" write
>>> >         by anonymous auth
>>> > access to dn="ou=company-addressbook,dc=cw"
>>> >         by dn="cn=admin,ou=user,dc=cw" write
>>> >         by users read
>>> >         by users search
>>> > access to *
>>> >         by dn="cn=admin,ou=users,dc=cw" write
>>> >         by users read


-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it