[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL Help - detailed information follows



At 02:05 PM 2/16/2006, Terry wrote:
>I am trying to write to an entry.   Here is my log:
>
>Feb 16 15:57:18 localhost slapd[26992]: => acl_mask: access to entry
>"uid=39,ou=addr,uid=joe,ou=Users,ou=OxObjects,dc=domain,dc=net", attr
>"telephoneNumber" requested

   by <uid=joe,ou=Users,ou=OxObjects,dc=domain,dc=net>.

>Here is my acl config:
>
>access to dn.base="" by * read

n/a

>access to dn.base="cn=Subschema" by * read

n/a


># protect the userPassword attribute
>access to attr=userPassword
>    by self =w
>    by anonymous auth

n/a


># global address book
>access to dn.subtree="o=AddressBook,ou=OxObjects,dc=domain,dc=net"
>    by group.exact="cn=AddressAdmins,o=AddressBook,ou=OxObjects,dc=domain,dc=net"
>write
>    by users read

n/a


># personal address book
>access to dn.regex="^ou=addr,(uid=([^,]+),ou=Users,ou=OxObjects,dc=domain,dc=net)$"
>attrs=children
>    by dn.exact,expand="$1" write

n/a


>access to dn.regex="^uid=([^,]+),ou=addr,(uid=([^,]+),ou=Users,ou=OxObjects,dc=domain,dc=net)$"
>attrs=entry
>    by dn.exact,expand="$2" write

n/a


># default rule allowing users full access to their own entries
>access to *
>    by self write
>    by users read

applicable.  target not subject, subject is authenticated, so read
should be granted.

>Feb 16 15:57:18 localhost slapd[26992]: => access_allowed: write
>access denied by read(=rscx)