> Pierangelo Masarati wrote:
>>>I need to limit access to mail-related attributes of my users' tree. I
>>> created the following acl entries:
>>>
>>>access to dn="ou=(groups|users|services),dc=one,dc=two,dc=com$$"
>>> attrs=mail
>>> by dn="cn=admin,dc=two,dc=com$$" write
>>> by self write
>>> by dn.base="uid=mailBrowser,ou=system,dc=one,dc=two,dc=com" read by
>>>dn.base="uid=usersBrowser,ou=system,dc=one,dc=two,dc=com" read
>>>
>>>access to dn="ou=(groups|users|services),dc=one,dc=two,dc=com$$"
>>> by dn="cn=admin,dc=two,dc=com$$" write
>>> by dn.base="uid=usersBrowser,ou=system,dc=one,dc=two,dc=com" read
>>> by
>>>self read
>>>
>>>But I still cannot make user "mailBrowser" to browse the attribute
>>> "mail". It cannot access it unless it is given same privileges as user
>>> "usersBrowser" has. But it can see all other attributes then.
>>
>>
>> If you use 2.2 you are not requesting regex dn match; 2.2. defaults to
>> exact, as clearly stated in the documentation (e.g. slapd.access(5)).
>> Also, you don't need the double '$$' at the end of the regex. It is
>> only needed in the <who> clause if using the regex style. Your ACLs
>> shoudl look like:
>
> Currently I'm using 2.1.29.
OK.
>
>> access to dn.regex="ou=(groups|users|services),dc=one,dc=two,dc=com$"
>> attrs=mail
>> by dn.exact="cn=admin,dc=two,dc=com" write
>> by self write
>> by dn.exact="uid=mailBrowser,ou=system,dc=one,dc=two,dc=com" read
>> by dn.exact="uid=usersBrowser,ou=system,dc=one,dc=two,dc=com" read
>>
>> access to dn.regex="ou=(groups|users|services),dc=one,dc=two,dc=com$"
>> by dn.exact="cn=admin,dc=two,dc=com" write
>> by dn.exact="uid=usersBrowser,ou=system,dc=one,dc=two,dc=com" read
>> by self read
>
> I changed it this way but it didn't help. (read bellow)
>
>>
>> I assume you mean to allow access to the entire subtree, since the
>> rules, as written now, imply that a dn
>>
>> cn=anything,ou=(groups|users|services),dc=one,dc=two,dc=com
>>
>> would match. BTW, I really can't tell the difference between the
>> <what> clauses of either rule. They are exactly the same, aren't
>> they?
>
> The difference is the first rule should define access to all attributes
> "mail" in the subtree. Maybe I'm wrong but I used the second rule to
> define the listed users' access to all other attributes except of
> "mail".
Sure, I missed the attr=mail stuff!
>
> If I understand it right, the system first checks the first rule to see
> if I (mailBrowser user) have enough permission to access <what>. In
> first case the <what> only specifies access to "mail" attribute of
> objects in "ou=(groups|users|services),dc=one,dc=two,dc=com$" subtree.
> Access to other attributes I specified by the second rule.
So, let's start from scratch. <who> needs access to <what>; note that
looking at the logs at ACL level (should be 128, AFAIR) can help.
Note that by running test003 in 2.1 and adding the ACLs below I can
perfectly change the attribute "description" in ou=People, but I cannot
change anything else, if I bind as Bjorn Jensen.
access to attr=userpassword
by * auth
access to dn.regex="^ou=(People|Groups),o=University of Michigan,c=US$"
attr=description
by dn.exact="cn=Bjorn Jensen,ou=Information Technology
Division,ou=People,o=University of Michigan,c=US" write
access to dn.regex="^ou=(People|Groups),o=University of Michigan,c=US$"
by dn.exact="cn=Bjorn Jensen,ou=Information Technology
Division,ou=People,o=University of Michigan,c=US" read
access to *
by * read
A log of your ACL checking process would definitely help.
p.
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it