[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem with ACL and regex

To: "Diego Julian Remolina" <dijuremo@math.gatech.edu>
Subject: Re: Problem with ACL and regex
From: "Michael Hamann" <mail@mhamann.net>
Date: Wed, 10 Mar 2004 14:39:58 +0100 (CET)
Cc: openldap-software@OpenLDAP.org
Importance: Normal
In-reply-to: <Pine.GSO.4.58.0403100725400.17297@oak.math.gatech.edu>
References: <32969.193.22.120.35.1078840826.squirrel@193.22.120.35> <Pine.GSO.4.58.0403090937590.20536@math209.math.gatech.edu> <40668.193.22.120.35.1078845856.squirrel@193.22.120.35> <Pine.GSO.4.58.0403091204210.20536@math209.math.gatech.edu> <10089.193.22.120.35.1078905172.squirrel@193.22.120.35> <Pine.GSO.4.58.0403100725400.17297@oak.math.gatech.edu>
User-agent: SquirrelMail/1.5.0

Hi,

removing the break leads to the right direction. Now a normal user can
access the global book and his own user level (only his own) but - as last
error he can´t access his private addressbook under his user level
(cn=mmaier,ou=user,dc=cw is accessible but not
(ou=addressbook,cn=mmaier,ou=user,dc=cw). I´ve played again with the
options for hours today but I have really problems understanding how these
ACLs should work...

So my actual config is:

-------------

access to dn.regex="cn=(.+),ou=user,dc=cw"
         by self write
         by dn="cn=admin,ou=user,dc=cw" write
         by * auth
access to dn.regex="ou=addressbook,cn=(.+),ou=user,dc=cw"
         by self write
         by dn="cn=admin,ou=user,dc=cw" write
         by * auth
access to attribute=userPassword
        by self write
        by dn="cn=admin,ou=user,dc=cw" write
        by anonymous auth
access to dn="ou=company-addressbook,dc=cw"
        by dn="cn=admin,ou=user,dc=cw" write
        by users read
        by users search

access to *
        by dn="cn=admin,ou=users,dc=cw" write
        by users read

---

The only thing which is still missing is the user access to their
phonebooks which currently does not work.

These ACL drive me crazy - if anybody has a clue on how to fix that
problem please tell me...

Thank you in advance

Michael

>> > #Order matters put the entries I suggested first
>
>> > access to dn.regex="cn=(.+),ou=user,dc=cw"
>> >     by self read
>> >     by dn="cn=admin,ou=user,dc=cw" write
>         by * auth
> Remove break at the end of the line above.
>
> The way acls work (or at least the behaviour I have noticed) is that when
> you match one acl then it stops checking,
> so if you use break at the end it will keep on going to the next acl.
> In my setup I first restrict everything I want to restrict and later on I
> allow access to the rest.
>
> The other thing you can try is to leave it as is but then on the last line
> change of the config to:  access to * by users search
> instead of access to * by users read
>
>> > access to dn.regex="ou=addressbok,cn=(.+),ou=user,dc=cw"
>> >     by self write
>> >     by dn="cn=admin,ou=user,dc=cw" write
>> >     by * auth
>> > # Remove the * that you had in this line
>> > access to attribute=userPassword
>> >     by self write
>> >         by dn="cn=admin,ou=user,dc=cw" write
>> >         by anonymous auth
>> > access to dn="ou=company-addressbook,dc=cw"
>> >         by dn="cn=admin,ou=user,dc=cw" write
>> >         by users read
>> >         by users search
>> > access to *
>> >         by dn="cn=admin,ou=users,dc=cw" write
>> >         by users read
>
>
>
> Diego
>
>
> On Wed, 10 Mar 2004, Michael Hamann wrote:
>
>> Hey Diego,
>>
>> thank you for your answer. Now a normal User can see the global
>> addressbook but also all books of the other users. Except of the
>> userPassword Field I can access all attributes under the ou=user,dc=cw
>> tree...
>>
>> I found out that when I comment out the last line of your config (the
>> access to * by users read) then the user has only access to the global
>> area. So it seems to me that the earlier rules are not fully recognized
>> -
>> which I do not really understand why...
>>
>> Michael
>>
>> >> >> As commented in my slapd.conf file I want:
>> >> >>
>> >> >> - every authorized user to read the global addressbook
>> >> >> - admin should have right to write everywhere
>> >> >> - the users should be able to update their own addressbook under
>> >> >>   there own tree.
>> >> >>
>> >
>> > #Order matters put the entries I suggested first
>> > access to dn.regex="cn=(.+),ou=user,dc=cw"
>> >  	by self read
>> >  	by dn="cn=admin,ou=user,dc=cw" write
>> >  	by * auth break
>> > access to dn.regex="ou=addressbok,cn=(.+),ou=user,dc=cw"
>> >  	by self write
>> >  	by dn="cn=admin,ou=user,dc=cw" write
>> >  	by * auth
>> > # Remove the * that you had in this line
>> > access to attribute=userPassword
>> > 	by self write
>> >         by dn="cn=admin,ou=user,dc=cw" write
>> >         by anonymous auth
>> > access to dn="ou=company-addressbook,dc=cw"
>> >         by dn="cn=admin,ou=user,dc=cw" write
>> >         by users read
>> >         by users search
>> > access to *
>> >         by dn="cn=admin,ou=users,dc=cw" write
>> >         by users read
>>
>>
>>
>
>

Follow-Ups:
- Re: Problem with ACL and regex
  - From: Diego Julian Remolina <dijuremo@math.gatech.edu>
- Re: Problem with ACL and regex
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: Problem with ACL and regex
  - From: Dieter Kluenter <dieter@dkluenter.de>

References:
- Problem with ACL and regex
  - From: "Michael Hamann" <mail@mhamann.net>
- Re: Problem with ACL and regex
  - From: "Michael Hamann" <mail@mhamann.net>
- Re: Problem with ACL and regex
  - From: Diego Julian Remolina <dijuremo@math.gatech.edu>

Prev by Date: Re: ACL questions. Answered (long)
Next by Date: Re: Problem with ACL and regex
Index(es):
- Chronological
- Thread