[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Problem with ACL and regex

To: <hyc@highlandsun.com>
Subject: RE: Problem with ACL and regex
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Wed, 10 Mar 2004 18:09:38 +0100 (CET)
Cc: <mail@mhamann.net>, <dijuremo@math.gatech.edu>, <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <016a01c406bd$61e7e6f0$8601a8c0@CELLO>
References: <63169.81.72.89.40.1078930084.squirrel@webmail.sys-net.it> <016a01c406bd$61e7e6f0$8601a8c0@CELLO>

to make it clear?  overkill, I removed it also from the FAQ:

http://www.openldap.org/faq/index.cgi?file=1005

p.


>> -----Original Message-----
>> From: owner-openldap-software@OpenLDAP.org
>> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Pierangelo
> Masarati
>
>> Let me fix a coupel of typos and add an extra rule
>> to my previous message:
>>
>> # allow everybody to try to bind
>> access to attrs=userPassword
>>         by self write
>>         by dn.exact="cn=admin,ou=user,dc=cw" write
>>         by anonymous auth
>>
>> # give read access to one's entry to himself only
>> access to dn.regex="^cn=([^,]+)ou=user,dc=cw$$"
>>         by self read
>>         by dn.exact="cn=admin,ou=user,dc=cw" write
>>         by * none
>>
>> # allow one to create chidren of its own addressbook
>> access to dn.regex="^ou=addressbook,cn=([^,]+),ou=user,dc=cw$$"
>>                 attrs=children
>>         by dn.exact,expand="cn=$1,ou=user,dc=cw" write
>>         by dn.exact="cn=admin,ou=user,dc=cw" write
>>         by * none
>>
>> # allow no-one else read access to one's addressbook entry
>> access to dn.regex="^ou=addressbook,cn=([^,]+),ou=user,dc=cw$$"
>>         by dn.exact,expand="cn=$1,ou=user,dc=cw" read
>>         by dn.exact="cn=admin,ou=user,dc=cw" write
>>         by * none
>>
>> # allow one to create entries in its own addressbook;
>> # no-one else can read it
>> access to dn.regex="[^,]+,ou=addressbook,cn=([^,]+),ou=user,dc=cw$$"
>>                 attrs=entry,<list what attributes one needs to write>
>>         by dn.exact,expand="cn=$1,ou=user,dc=cw" write
>>         by dn.exact="cn=admin,ou=user,dc=cw" write
>>         by * none
>>
>> # allow everybody to read everything else, including
>> # the company-wide addressbook
>> access to *
>>         by dn.exact="cn=admin,ou=user,dc=cw" write
>>         by users read
>>         by * none
>
> There is no need to include "by * none" at the end of any of these
> clauses; that is the default behavior already. I'm puzzled why you chose
> to add it on every clause except the first one.
>
>   -- Howard Chu
>   Chief Architect, Symas Corp.       Director, Highland Sun
>   http://www.symas.com               http://highlandsun.com/hyc
>   Symas: Premier OpenSource Development and Support


-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it

References:
- Re: Problem with ACL and regex
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- RE: Problem with ACL and regex
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: RE: AIX v5.2 ML02 and OL v2.2.6
Next by Date: Re: Laser mail routting schema
Index(es):
- Chronological
- Thread