[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem with ACL and regex

To: <mail@mhamann.net>
Subject: Re: Problem with ACL and regex
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Wed, 10 Mar 2004 15:48:04 +0100 (CET)
Cc: <dijuremo@math.gatech.edu>, <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <63156.81.72.89.40.1078928602.squirrel@webmail.sys-net.it>
References: <32969.193.22.120.35.1078840826.squirrel@193.22.120.35> <Pine.GSO.4.58.0403090937590.20536@math209.math.gatech.edu> <40668.193.22.120.35.1078845856.squirrel@193.22.120.35> <Pine.GSO.4.58.0403091204210.20536@math209.math.gatech.edu> <10089.193.22.120.35.1078905172.squirrel@193.22.120.35> <Pine.GSO.4.58.0403100725400.17297@oak.math.gatech.edu> <39963.193.22.120.35.1078925998.squirrel@193.22.120.35> <63156.81.72.89.40.1078928602.squirrel@webmail.sys-net.it>

Let me fix a coupel of typos and add an extra rule
to my previous message:

# allow everybody to try to bind
access to attrs=userPassword
        by self write
        by dn.exact="cn=admin,ou=user,dc=cw" write
        by anonymous auth

# give read access to one's entry to himself only
access to dn.regex="^cn=([^,]+)ou=user,dc=cw$$"
        by self read
        by dn.exact="cn=admin,ou=user,dc=cw" write
        by * none

# allow one to create chidren of its own addressbook
access to dn.regex="^ou=addressbook,cn=([^,]+),ou=user,dc=cw$$"
                attrs=children
        by dn.exact,expand="cn=$1,ou=user,dc=cw" write
        by dn.exact="cn=admin,ou=user,dc=cw" write
        by * none

# allow no-one else read access to one's addressbook entry
access to dn.regex="^ou=addressbook,cn=([^,]+),ou=user,dc=cw$$"
        by dn.exact,expand="cn=$1,ou=user,dc=cw" read
        by dn.exact="cn=admin,ou=user,dc=cw" write
        by * none

# allow one to create entries in its own addressbook;
# no-one else can read it
access to dn.regex="[^,]+,ou=addressbook,cn=([^,]+),ou=user,dc=cw$$"
                attrs=entry,<list what attributes one needs to write>
        by dn.exact,expand="cn=$1,ou=user,dc=cw" write
        by dn.exact="cn=admin,ou=user,dc=cw" write
        by * none

# allow everybody to read everything else, including
# the company-wide addressbook
access to *
        by dn.exact="cn=admin,ou=user,dc=cw" write
        by users read
        by * none

I'm about to turn this into (yet )a(nother) FAQ example.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it

Follow-Ups:
- Re: Problem with ACL and regex
  - From: "Michael Hamann" <mail@mhamann.net>
- Re: Problem with ACL and regex
  - From: Diego Julian Remolina <dijuremo@math.gatech.edu>
- RE: Problem with ACL and regex
  - From: "Howard Chu" <hyc@highlandsun.com>

References:
- Problem with ACL and regex
  - From: "Michael Hamann" <mail@mhamann.net>
- Re: Problem with ACL and regex
  - From: "Michael Hamann" <mail@mhamann.net>
- Re: Problem with ACL and regex
  - From: Diego Julian Remolina <dijuremo@math.gatech.edu>
- Re: Problem with ACL and regex
  - From: "Michael Hamann" <mail@mhamann.net>
- Re: Problem with ACL and regex
  - From: "Pierangelo Masarati" <ando@sys-net.it>

Prev by Date: Re: Problem with ACL and regex
Next by Date: Re: Problem with ACL and regex
Index(es):
- Chronological
- Thread