[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL for only creating entry

To Ace Suares:

I tried your last suggestion of:

# Make the user entry writable for WebRegister
# make the user entry readable for users
access to dn.regex="uid=(.+),ou=users,dc=theoretic,dc=com" attrs=entry
  by dn.regex="uid=$1,ou=users,dc=theoretic,dc=com" read
  by dn.base="uid=webregister,ou=services,dc=theoretic,dc=com" write
  by * none

# Forbid access to the other attributes of individual user entries by
# WebRegister
access to dn.regex="uid=(.+),ou=users,dc=theoretic,dc=com"
  by dn.regex="uid=$1,ou=users,dc=theoretic,dc=com" read
  by * none

# Grant access to WebRegister to create new users,
#  even if it can't see them (above ACL)
access to dn.base="ou=users,dc=example,dc=com" attrs=children
  by dn.base="uid=webregister,ou=services,dc=theoretic,dc=com" write
  by * none

But it only works as intended if I add the following 4th rule at the end,
giving webregister write access to the grandparent node of the individual
users (the parent of the node where users are created).

## Default to read access.
access to dn=".*,dc=theoretic,dc=com"
 by dn="uid=webregister,ou=services,dc=theoretic,dc=com" write
 by self write
# by * auth
# by * search

I unfortunately can't afford to give webregister this access because then
some crafty cracker could access info outside of the users (such as in my
ou=services for non-human login accounts or ou=hosts for domains that my
box controls). And I only get the intended results by giving webregister
write acess, so it seems there is something it needs to write to not
covered by the previous ACLs I can't seem to figure out why, though, after
messing with it for a few hours.