[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem with ACL and regex

To: Pierangelo Masarati <ando@sys-net.it>
Subject: Re: Problem with ACL and regex
From: Diego Julian Remolina <dijuremo@math.gatech.edu>
Date: Wed, 10 Mar 2004 09:58:31 -0500 (EST)
Cc: mail@mhamann.net, openldap-software@OpenLDAP.org
In-reply-to: <63169.81.72.89.40.1078930084.squirrel@webmail.sys-net.it>
References: <32969.193.22.120.35.1078840826.squirrel@193.22.120.35> <Pine.GSO.4.58.0403090937590.20536@math209.math.gatech.edu> <40668.193.22.120.35.1078845856.squirrel@193.22.120.35> <Pine.GSO.4.58.0403091204210.20536@math209.math.gatech.edu> <10089.193.22.120.35.1078905172.squirrel@193.22.120.35> <Pine.GSO.4.58.0403100725400.17297@oak.math.gatech.edu> <39963.193.22.120.35.1078925998.squirrel@193.22.120.35> <63156.81.72.89.40.1078928602.squirrel@webmail.sys-net.it> <63169.81.72.89.40.1078930084.squirrel@webmail.sys-net.it>

Hi Pierangelo

I think you should really turn it into an FAQ, ACLS are poorly
explained in the openldap documentation.  If you understand them totally
and could make an elaborate explanation of how they work, that will be
super :).

I also struggled to get some special ACLs just recently and even though I
got them to work, I am not 100% sure that is the best way to do it.
Would you mind taking a look at my last posting to the message with
subject: ACL questions Answered (long), and give me your opinion on the
way I set those ACLs.

Thanks,

diego

On Wed, 10 Mar 2004, Pierangelo Masarati wrote:

> Let me fix a coupel of typos and add an extra rule
> to my previous message:
>
> # allow everybody to try to bind
> access to attrs=userPassword
>         by self write
>         by dn.exact="cn=admin,ou=user,dc=cw" write
>         by anonymous auth
>
> # give read access to one's entry to himself only
> access to dn.regex="^cn=([^,]+)ou=user,dc=cw$$"
>         by self read
>         by dn.exact="cn=admin,ou=user,dc=cw" write
>         by * none
>
> # allow one to create chidren of its own addressbook
> access to dn.regex="^ou=addressbook,cn=([^,]+),ou=user,dc=cw$$"
>                 attrs=children
>         by dn.exact,expand="cn=$1,ou=user,dc=cw" write
>         by dn.exact="cn=admin,ou=user,dc=cw" write
>         by * none
>
> # allow no-one else read access to one's addressbook entry
> access to dn.regex="^ou=addressbook,cn=([^,]+),ou=user,dc=cw$$"
>         by dn.exact,expand="cn=$1,ou=user,dc=cw" read
>         by dn.exact="cn=admin,ou=user,dc=cw" write
>         by * none
>
> # allow one to create entries in its own addressbook;
> # no-one else can read it
> access to dn.regex="[^,]+,ou=addressbook,cn=([^,]+),ou=user,dc=cw$$"
>                 attrs=entry,<list what attributes one needs to write>
>         by dn.exact,expand="cn=$1,ou=user,dc=cw" write
>         by dn.exact="cn=admin,ou=user,dc=cw" write
>         by * none
>
> # allow everybody to read everything else, including
> # the company-wide addressbook
> access to *
>         by dn.exact="cn=admin,ou=user,dc=cw" write
>         by users read
>         by * none
>
> I'm about to turn this into (yet )a(nother) FAQ example.
>
> p.
>
> --
> Pierangelo Masarati
> mailto:pierangelo.masarati@sys-net.it
>
>

Follow-Ups:
- Re: Problem with ACL and regex
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: Problem with ACL and regex
  - From: Tony Earnshaw <tonye@billy.demon.nl>

References:
- Problem with ACL and regex
  - From: "Michael Hamann" <mail@mhamann.net>
- Re: Problem with ACL and regex
  - From: "Michael Hamann" <mail@mhamann.net>
- Re: Problem with ACL and regex
  - From: Diego Julian Remolina <dijuremo@math.gatech.edu>
- Re: Problem with ACL and regex
  - From: "Michael Hamann" <mail@mhamann.net>
- Re: Problem with ACL and regex
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: Problem with ACL and regex
  - From: "Pierangelo Masarati" <ando@sys-net.it>

Prev by Date: Re: sn/surname mess. Need your opinion
Next by Date: Re: TLS/SSL failover problem
Index(es):
- Chronological
- Thread