[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL Problem

To: openldap-technical <openldap-technical@openldap.org>
Subject: Re: ACL Problem
From: Selcuk Yazar <selcuk.yazar@gmail.com>
Date: Wed, 21 Dec 2011 13:47:11 +0200
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=YpEBFob0fYQb/gFUXmsg/ZKznV7T5ZCxqJffi1om9V8=; b=xip0qKW6FyzQnGF+GI/OwGdYrA+6ZhjnAxuElhreGodkGSvXR0+0r3J6ZR3bYaxUpv FFjx72bXhuvUXHdDrc0qb+eObNaryrGfOojq24ICnTctaiK+8DFlQsV5jsOn3EhVHRFU hhhxvPm7UYFBeQVmhP9IQfrVDG7Igf1Uiqrvg=
In-reply-to: <93A58A7339F32853DE016FE9@192.168.1.20>
References: <CACBG-R0S-b-1kydp-fPmH29U6Tvyw5-HEKBrKARHE7+FRg1DLQ@mail.gmail.com> <201112201134.53266.bgmilne@staff.telkomsa.net> <CACBG-R0FLbPmqKhQRSt9OYH5xWWNMg85kW_mtATr8oHC8bpjmA@mail.gmail.com> <4EF06FB1.90501@infineon.com> <CACBG-R3AK4RDDZ-5QrB9gF8pSOD20Cw2f7hNuQrP+kMdEEimxw@mail.gmail.com> <93A58A7339F32853DE016FE9@192.168.1.20>

Hi,

my rule is

access to dn.regex="^mail=([^,]+),ou=([^,]+),jvd=([^,]+),o=hosting,dc=myhosting,dc=example$"

attrs=userPassword

by dn.exact="mail=$1,ou=$2,jvd=$3,o=hosting,dc=myhosting,dc=example" write

by dn.exact,expand="mail=$1,ou=$2,jvd=$3,o=hosting,dc=myhosting,dc=example" read

by dn="cn=Manager,dc=myhosting,dc=example" write

by users none

by * none

this doesn't work , users can't change their own password.

Also try this;

access to attrs=userpassword

by self write

by anonymous auth

by dn="cn=Manager,dc=myhosting,dc=example" write

by users none

by * none

doesn't work again.

open ldap have another parameter for these things ???

On Tue, Dec 20, 2011 at 8:56 PM, Quanah Gibson-Mount <quanah@zimbra.com> wrote:

--On Tuesday, December 20, 2011 4:28 PM +0200 Selcuk Yazar <selcuk.yazar@gmail.com> wrote:

access to
dn.regex="(.*,ou=(.+),jvd=([^,]+),o=hosting,dc=myhosting,dc=example)"
attrs=userPassword
by self write
by users write

"by users write" will allow any authenticated user to overwrite anyone's password. I'm guessing you really do *not* want this rule.

--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration

--
Selçuk YAZAR
http://www.selcukyazar.blogspot.com

Follow-Ups:
- Re: ACL Problem
  - From: Dieter KlÃnter <dieter@dkluenter.de>

References:
- ACL Problem
  - From: Selcuk Yazar <selcuk.yazar@gmail.com>
- Re: ACL Problem
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>
- Re: ACL Problem
  - From: Selcuk Yazar <selcuk.yazar@gmail.com>
- Re: ACL Problem
  - From: "Martin Schuster (IFKL IT OS DS CD)" <Martin.Schuster1@infineon.com>
- Re: ACL Problem
  - From: Selcuk Yazar <selcuk.yazar@gmail.com>

Prev by Date: Re:
Next by Date: Auto increment (uidNext and uidNumber)
Index(es):
- Chronological
- Thread