[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: I'm completely confused by ACLs ... @-)

To: Götz Reinicke - IT-Koordinator <goetz.reinicke@filmakademie.de>
Subject: Re: I'm completely confused by ACLs ... @-)
From: Dan White <dwhite@olp.net>
Date: Tue, 16 Nov 2010 11:16:13 -0600
Cc: openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <4CE2540A.3090106@filmakademie.de>
References: <4CE2540A.3090106@filmakademie.de>
User-agent: Mutt/1.5.20 (2009-06-14)

On 16/11/10 10:51 +0100, Götz Reinicke - IT-Koordinator wrote:

it should be so simple ... I thought.

At first some things worked, but than I messed something up and now I'm
completely confused.

What I want (sooner or later):

- users should authenticate using posix and samba accounts.
- they may change there password.
- they may look up other mail, phone, ... addresses in the ldap using
Thunderbird or apple Addressbook
- they may change there phone number and (may be) there postal address
- admin users should be able to write and read everything.

- anonymous users may later read the mail and cn/sn attribute.

May be someone has such ACLs already set up and like to share them or
can help me?

Would be great, cause reading the docs and experiment is helpful, but I
did not ended in a working secure, flexible, understandable setup.


We haven't deployed address books, but you might still find our approach
useful as a starting point. We intend to provide individual address books
for users to manage themselves, but we do not allow users to search for or
find other users. I've cut out all the group/admin related configuration
for simplicity.


access to dn.regex="ou=addressbook,uid=([^,]+),ou=people,dc=example,dc=net$"
        by dn.regex="uid=$1,ou=people,dc=example,dc=net" write
        by * none

access to dn.regex=".*,ou=addressbook,uid=([^,]+),ou=people,dc=example,dc=net$"
        by dn.regex="uid=$1,ou=people,dc=example,dc=net" write
        by * none

access to dn.base="ou=people,dc=example,dc=net"
        by anonymous auth
        by users read
        by * none

access to dn.base="ou=groups,dc=example,dc=net"
        by users read
        by * none

access to dn.base="ou=aliases,dc=example,dc=net"
        by anonymous auth
        by users read
        by * none

access to attrs=userPassword,shadowLastChange,sambaPwdLastSet,sambaLMPassword,sambaNTPassword,krb5KeyVersio
nNumber,krb5Key,cmusaslsecretOTP
        by anonymous auth
        by self write
        by * none

access to attrs=authzTo
        by anonymous auth
        by self read
        by * none

access to attrs=objectClass
        by anonymous auth
        by self read
        by * none

access to attrs=entry,uidNumber
        by anonymous auth
        by self read
        by * none

access to dn.base="" by * read

--
Dan White

References:
- I'm completely confused by ACLs ... @-)
  - From: Götz Reinicke - IT-Koordinator <goetz.reinicke@filmakademie.de>

Prev by Date: Re: password problems: SOLVED
Next by Date: understanding ACLs: dn.subtree vs. attrs=@something
Index(es):
- Chronological
- Thread