[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL Question

To: Christian Manal <moenoel@informatik.uni-bremen.de>
Subject: Re: ACL Question
From: Diego Lima <lists@diegolima.org>
Date: Fri, 1 Oct 2010 00:02:33 -0300
Cc: openldap-technical@openldap.org
In-reply-to: <4CA43895.6060605@informatik.uni-bremen.de>
References: <AANLkTinBsU90cdfogkvhNJ-iSbnM7ohgMtKsuG7FXLOq@mail.gmail.com> <4CA43895.6060605@informatik.uni-bremen.de>

Hi again!

I managed to get it working by doing this:

Access to dn.regex="^ou=([^,]+),ou=Misc,dc=diegolima,dc=org$"
  by dn.exact,expand="cn=$1,ou=users,dc=diegolima,dc=org" write
  by * read

Access to dn="ou=Misc,dc=diegolima,dc=org" attrs=children
  by users write
  by * read


I actually needed to use "dn.exact,expand" instead of just "dn.expand"
as it was not matching the client properly. I'm still trying to figure
out why, so if anyone can explain this to me I'd be very appreciative
:)

Anyway, its working now! Thank you!

2010/9/30 Christian Manal <moenoel@informatik.uni-bremen.de>:
> Am 30.09.2010 02:04, schrieb Diego Lima:
>> Hello all,
>>
>> I have the following structure on my LDAP server:
>>
>> ou=Misc,dc=diegolima,dc=org
>> ou=Users,dc=diegolima,dc=org
>>
>> Under users I have some user accounts, such as
>> cn=user1,ou=Users,dc=diegolima,dc=org. I'd like to allow users to
>> create an OU under ou=Misc as long as the OU had the user's name, such
>> as ou=user1,ou=Misc,dc=diegolima,dc=org for user1 or
>> ou=user2,ou=Misc,dc=diegolima,dc=org for user2, however I wouldn't
>> like to simply create an ACL such as:
>>
>> access to dn.exact="ou=Misc,dc=diegolima,dc=org"
>>     by * add
>>
>> as this ultimately allows user1 to create an ou named
>> "ou=user2,ou=Misc". What I first tried was adding an ACL like this:
>>
>> access to dn.regex="^ou=([^,]+),ou=Misc,dc=diegolima,dc=org"
>>     by dn.exact,expand="cn=$1,dc=diegolima,dc=org" write
>>     by * none
>>
>>
>> However I receive an error telling me that I need write access to the
>> parent entry to create this, and if I use the first ACL I seem to be
>> able to create OUs without any naming restriction. Is there even a way
>> to accomplish this?
>>
>> Thank you very much!
>>
>
> Hi,
>
> I think you need to add write permissions for the pseudo attribute
> "children" of the parent. I.E. something like this:
>
>
>   access to dn="ou=Misc,dc=diegolima,dc=org" attrs=children
>      by users write
>      by * none
>
>   access to dn.regex="^ou=([^,]+),ou=Misc,dc=diegolima,dc=org$"
>      by dn.expand="cn=$1,ou=Users,dc=diegolima,dc=org" write
>      by * none
>
>
> That way, all authenticated users are allowed to write to child entries
> of "ou=Misc,..." and the "dn.regex" rule then restricts to which
> children users may write.
>
>
> Regards,
> Christian Manal
>



-- 
Diego Lima

References:
- ACL Question
  - From: Diego Lima <lists@diegolima.org>
- Re: ACL Question
  - From: Christian Manal <moenoel@informatik.uni-bremen.de>

Prev by Date: Re: ACL Question
Next by Date: Search control forwarding
Index(es):
- Chronological
- Thread