[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Problem with ACL and regex



> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Pierangelo
Masarati

> Let me fix a coupel of typos and add an extra rule
> to my previous message:
>
> # allow everybody to try to bind
> access to attrs=userPassword
>         by self write
>         by dn.exact="cn=admin,ou=user,dc=cw" write
>         by anonymous auth
>
> # give read access to one's entry to himself only
> access to dn.regex="^cn=([^,]+)ou=user,dc=cw$$"
>         by self read
>         by dn.exact="cn=admin,ou=user,dc=cw" write
>         by * none
>
> # allow one to create chidren of its own addressbook
> access to dn.regex="^ou=addressbook,cn=([^,]+),ou=user,dc=cw$$"
>                 attrs=children
>         by dn.exact,expand="cn=$1,ou=user,dc=cw" write
>         by dn.exact="cn=admin,ou=user,dc=cw" write
>         by * none
>
> # allow no-one else read access to one's addressbook entry
> access to dn.regex="^ou=addressbook,cn=([^,]+),ou=user,dc=cw$$"
>         by dn.exact,expand="cn=$1,ou=user,dc=cw" read
>         by dn.exact="cn=admin,ou=user,dc=cw" write
>         by * none
>
> # allow one to create entries in its own addressbook;
> # no-one else can read it
> access to dn.regex="[^,]+,ou=addressbook,cn=([^,]+),ou=user,dc=cw$$"
>                 attrs=entry,<list what attributes one needs to write>
>         by dn.exact,expand="cn=$1,ou=user,dc=cw" write
>         by dn.exact="cn=admin,ou=user,dc=cw" write
>         by * none
>
> # allow everybody to read everything else, including
> # the company-wide addressbook
> access to *
>         by dn.exact="cn=admin,ou=user,dc=cw" write
>         by users read
>         by * none

There is no need to include "by * none" at the end of any of these clauses;
that is the default behavior already. I'm puzzled why you chose to add it on
every clause except the first one.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support