[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL questions

Mailing List wrote:


I would like to do exactly what describe the following faq entry :


i.e. allow a user to write below his own entry.

but when I start slapd, it claimed that dn.expand is not admitted
here or something like that ...

It depends on what verion of the software you're using, but in any case I wouldn't use any that doesn't accept that style modifier, and I'd definitely upgrade to the latest stable.

access to dn.regex="^.*,(uid=.*,o=Company)$$"
        by dn.expand="$1" write
        by anonymous auth

First, does this acl work for someone ?
If not, do you have a work around ?

That's blatantly wrong for many reasons, I suggest you fix the FAQ after seeing if it works as intended.

1) a regex pattern starting with "^.*" is a nonsense, because ".*" can match anything so it will surely match from the beginning.
2) a (n impossible) string ",uid=..." would match as well, although it's not a valid DN, and the suggested, while a DN "uid=..." would not match because it has no leading comma ",".
3) a pattern "uid=.*," means that any value, from "" to "foo,ou=disabled" would match, giving disabled users write access to their entry and children. Use "uid=[^,]+" if this is what you mean.
4) the trailing "$$" is meanigless; use only one to force a match to the end of the string.
5) "dn.expand" means nothing; it has to be "dn.<style>,expand"; in this case, I assume you mean a style of "exact".

There could be more inconsistencies I'm not noticing at the moment.
So, that ACL should look like

access to dn.regex="(.+,)?(uid=[^,]+,o=Company)$"
   by dn.exact,expand="$2" write
   by anonymous auth

If the version you're using is so old that it doesn't support the "expand" style modifier, you can use

access to dn.regex="(.+,)?(uid=[^,]+,o=Company)$"
   by dn.regex="$2" write
   by anonymous auth


   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497