[Date Prev][Date Next] [Chronological] [Thread] [Top]

never mind - messy ACL problem solved

To: openldap-software@OpenLDAP.org
Subject: never mind - messy ACL problem solved
From: "Kyle F. Downey" <kdowney@amberarcher.com>
Date: Fri, 23 Mar 2001 16:51:22 -0500
Organization: Amber Archer Consulting Co., Inc.
User-agent: Mozilla/5.0 (X11; U; Linux 2.4.2 i686; en-US; 0.8) Gecko/20010217

1) I was ordering the rules for directory manager incorrectly, so the ACL code was apply the "read" rule that came before and bailing after first match 2) I forgot a "by * none" to deny access to that subset to everyone else

Making those two fixes got to working with the clients only able to see the top of the tree-- an "org" in my case. The addition of a rule just matching the first "dc" fixed this.

Kurt et. al, thanks for a great product.

--kd


# by default, no access
defaultaccess none

# anyone can edit their own password
access to attr=userpassword
      by self write
      by * none

# anyone logged in can read information in the
# Amber Archer tree (eventually we'll have to
# restrict some attributes)
access to dn="ou=People,dc=amberarcher,dc=com"
      by dn=".+" read
      by * none

# client Directory Managers can edit anything under their
# tree, and client users can read any entry in their company

access to dn="dc=([^,]+),dc=([^,]+),ou=Clients,dc=amberarcher,dc=com" by self write by dn="cn=Directory Manager,dc=$1,dc=$2,ou=Clients,dc=amberarcher,dc=com" write by dn="cn=[^,]+,dc=$1,dc=$2,ou=Clients,dc=amberarcher,dc=com" read by * none

access to dn="dc=([^,]+),ou=Clients,dc=amberarcher,dc=com"
      by dn=".*,dc=$1,ou=Clients,dc=amberarcher,dc=com" read
      by * none

access to dn="ou=Clients,dc=amberarcher,dc=com"
      by dn=".+" read

Prev by Date: complex ACLs without groups (OpenLDAP 1.2.11)
Next by Date: Re: referrals to foreign directory tree?
Index(es):
- Chronological
- Thread