[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL for only creating entry

To: <openldap-software@OpenLDAP.org>
Subject: Re: ACL for only creating entry
From: Ace Suares <ace@suares.nl>
Date: Sun, 14 Dec 2003 06:34:09 -0400
Content-description: clearsigned data
Content-disposition: inline
In-reply-to: <1343.209.16.240.20.1071385387.squirrel@mail.theoretic.com>
Organization: Ace Suares' Internet Consultancy
References: <1343.209.16.240.20.1071385387.squirrel@mail.theoretic.com>
User-agent: KMail/1.5.1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi All,

> I had to change the below ACL suggestion slightly, replacing your "exact"
> with "base" (otherwise openldap wouldn't accept it), but no success. The
> account webregister is not able to see any of the children entries in the
> diorectory, as intended, but it is not able to create them at all. I get
> permission denied's.
>

Sigh. Logic dictates me that the behaviour you are finding now, is the correct 
behaviour. But I swear I saw something like this work!

Briddling for a while, gave the desired results:

# Allow read access of root DSE to ALL 
access to dn="" 
	by * read
#Allow read access of 'cn=Subschema' to ALL
access to dn="cn=Subschema" 
	by * read

access to dn.regex="^qwidoManager=.+,qwidoRole=qwidoManager,qwidoApp=qwido$"
	attrs=entry
	by dn.exact="qwidoApp=qwido" write
	by * none

access to dn.regex=".*,qwidoRole=qwidoManager,qwidoApp=qwido$" 
	by * none

access to dn.base="qwidoRole=qwidoManager,qwidoApp=qwido" attrs=children 
	by dn.exact="qwidoApp=qwido" write
	by * none

access to dn.base="qwidoRole=qwidoManager,qwidoApp=qwido" 
	by dn.exact="qwidoApp=qwido" write
	by * none

access to dn.regex=".*,qwidoApp=qwido$" 
	by * none

access to dn.base="qwidoApp=qwido" attrs=userpassword 
	by self read
	by anonymous auth
	by * none

access to dn.base="qwidoApp=qwido" attrs=children
	by dn.exact="qwidoApp=qwido" write
	by * none

access to dn.base="qwidoApp=qwido"
	by self read
	by * none

access to * 
	by * none

I am sorry if it's hard to read, but I don't have time to rewrite it to 
'example.com'.

The trick is 'attrs=entry'

Translated to your case (maybe you need some briddling though):

# Make the user entry writable for WebRegister
# make the user entry readable for users
access to dn.regex="uid=(.+),ou=users,dc=theoretic,dc=com" attrs=entry
  by dn.regex="uid=$1,ou=users,dc=theoretic,dc=com" read
  by dn.base="uid=webregister,ou=services,dc=theoretic,dc=com" write
  by * none

# Forbid access to the other attributes of individual user entries by
# WebRegister
access to dn.regex="uid=(.+),ou=users,dc=theoretic,dc=com" 
  by dn.regex="uid=$1,ou=users,dc=theoretic,dc=com" read
  by * none

# Grant access to WebRegister to create new users,
#  even if it can't see them (above ACL)
access to dn.base="ou=users,dc=example,dc=com" attrs=children
  by dn.base="uid=webregister,ou=services,dc=theoretic,dc=com" write
  by * none


Hope that helps, please let me know!

A_ce
- -- 
Ace Suares' Internet Consultancy
NIEUW ADRES: Postbus 2599, 4800 CN Breda
telefoon: 06-244 33 608
fax en voicemail: 0848-707 705
website: http://www.suares.nl * http://www.qwikzite.nl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)

iD8DBQE/3Dyjy7boE8xtIjURAkcwAKCtbJu35fPsZNL/Z/itDi4aWQlCagCeNe38
T6Qmf7Yyh8zP7YgyRmhlz00=
=fccr
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: ACL for only creating entry
  - From: Ace Suares <ace@suares.nl>

References:
- ACL for only creating entry
  - From: <adamtheo@theoretic.com>

Prev by Date: Re: ACL for only creating entry
Next by Date: Re: ldapadd : ldap_bind - Invalid credentials (49)
Index(es):
- Chronological
- Thread