[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL for only creating entry (SOLVED)

To: adamtheo@theoretic.com
Subject: Re: ACL for only creating entry (SOLVED)
From: Pierangelo Masarati <ando@sys-net.it>
Date: Sat, 20 Dec 2003 15:26:14 +0100
Cc: openldap-software@OpenLDAP.org
Organization: SysNet
References: <1194.209.16.240.20.1071908540.squirrel@mail.theoretic.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

adamtheo@theoretic.com wrote:

To Ace Suares, Pierangelo Masarati, and others of the list:

Pierangelo's suggestion for the ACL's to get the desired result of
allowing a UID to add new entries to a branch of the LDAP directory, but
also being denied access to read or write to them immediately after
creation (for the purpose of setting up an account registration form for
the general public to use to create accounts for themselves) has worked.

I had to figure out where to place his snippet, but after a short trial
and error period, this is my final and complete ACL entry for my
Directory:


<quote from='/etc/openldap/slapd.conf'>

access to attr=userPassword
        by self write
        by anonymous auth

access to dn.base="ou=users,dc=theoretic,dc=com"
        by dn="uid=webregister,ou=services,dc=theoretic,dc=com" write
        by anonymous auth
        by users read
        by self write
        by * none

access to dn.children="ou=users,dc=theoretic,dc=com"
       by dn.exact="uid=webregister,ou=services,dc=theoretic,dc=com" =xcsw


sorry to contradict you, but to allow
"uid=webregister,ou=services,dc=theoretic,dc=com" to only add, delete
and possibly modrdn entries below "ou=users,dc=theoretic,dc=com", but
NOT modify their contents, and, at the same time, allow users below
"ou=users,dc=theoretic,dc=com" to read themselves and modify some
of their attributes you should do:

access to attr=userPassword
        by self write
        by anonymous auth

access to dn.base="ou=users,dc=theoretic,dc=com" attrs=children
        by dn="uid=webregister,ou=services,dc=theoretic,dc=com" write
        by users read
        by * none

access to dn.one="ou=users,dc=theoretic,dc=com" attrs=entry
        by dn.exact="uid=webregister,ou=services,dc=theoretic,dc=com" \
                write
        by users read
        by * none

access to dn.one="ou=users,dc=theoretic,dc=com" \
               attrs=<set of modifiable attrs>
        by self write
        by * none

access to dn.one="ou=users,dc=theoretic,dc=com" \
               attrs=<set of non-modifiable attrs^(1)>
        by self read
        by * none

# (1) if you omit this, then all the attributes not in <set of
# modifiable attrs> will be readable by self.

note that I replaced "dn.children" with "dn.one" because the former
would allow users to create entries below themselves (but not
to read or modify them, though).  If this is what you need, then
your ACLs would change a bit.

Please try this and see if it gives you the expected results.

p.


</quote>

These ACL's allow 'uid=webregister' to create a new 'uid' entry under
'ou=users', but forbids it from seeing those entries (both those it
creates and already existing ones), even forbidding write access.

Thank you everyone!


--
Dr. Pierangelo Masarati         mailto:pierangelo.masarati@sys-net.it
LDAP Architect, SysNet s.n.c.   http://www.sys-net.it

+----------------------------------------------------------------------------+
|                                                                            |
|                     Buon Natale e felice Anno Nuovo                        |
|                                                                            |
|   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497   |
+----------------------------------------------------------------------------+

References:
- ACL for only creating entry (SOLVED)
  - From: <adamtheo@theoretic.com>

Prev by Date: ACL for only creating entry (SOLVED)
Next by Date: fail to add an entry with PERL LDAP module
Index(es):
- Chronological
- Thread