[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL Question



Am 30.09.2010 02:04, schrieb Diego Lima:
> Hello all,
> 
> I have the following structure on my LDAP server:
> 
> ou=Misc,dc=diegolima,dc=org
> ou=Users,dc=diegolima,dc=org
> 
> Under users I have some user accounts, such as
> cn=user1,ou=Users,dc=diegolima,dc=org. I'd like to allow users to
> create an OU under ou=Misc as long as the OU had the user's name, such
> as ou=user1,ou=Misc,dc=diegolima,dc=org for user1 or
> ou=user2,ou=Misc,dc=diegolima,dc=org for user2, however I wouldn't
> like to simply create an ACL such as:
> 
> access to dn.exact="ou=Misc,dc=diegolima,dc=org"
>     by * add
> 
> as this ultimately allows user1 to create an ou named
> "ou=user2,ou=Misc". What I first tried was adding an ACL like this:
> 
> access to dn.regex="^ou=([^,]+),ou=Misc,dc=diegolima,dc=org"
>     by dn.exact,expand="cn=$1,dc=diegolima,dc=org" write
>     by * none
> 
> 
> However I receive an error telling me that I need write access to the
> parent entry to create this, and if I use the first ACL I seem to be
> able to create OUs without any naming restriction. Is there even a way
> to accomplish this?
> 
> Thank you very much!
> 

Hi,

I think you need to add write permissions for the pseudo attribute
"children" of the parent. I.E. something like this:


   access to dn="ou=Misc,dc=diegolima,dc=org" attrs=children
      by users write
      by * none

   access to dn.regex="^ou=([^,]+),ou=Misc,dc=diegolima,dc=org$"
      by dn.expand="cn=$1,ou=Users,dc=diegolima,dc=org" write
      by * none


That way, all authenticated users are allowed to write to child entries
of "ou=Misc,..." and the "dn.regex" rule then restricts to which
children users may write.


Regards,
Christian Manal