[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Rights to create a new entry

Mailing List wrote:

After a lot of tries, I manage to autorise a user to
create a subentry of it own entry with the following

access to dn.regex="[^,]+,(cn=[^,]+,ou=users,dc=ouba,dc=org)$" attrs="children"
by anonymous none
by users none

access to dn.regex="[^,]+,(cn=[^,]+,ou=users,dc=ouba,dc=org)$"
by dn.exact,expand="$2" write
by anonymous none
by users none

Given the second rule, the above is irrelevant, because you're giving write access to the "children" pseudo-attribute of something, but you're not going to give write access to the "entry" pseudo-attribute of its children... If you feel so pedantic, you should maybe consider that you don't want to allow access of whatever stuff, do you? I suggest you precisely list the attributes you want to allow.

In the second rule, the <by anonymous none>, <by users none> is redundant; it can be summarized in <by * none>; but then it's irrelevant, because this is the default behavior so you can omit everything after the <by dn...> clause. However, this ACL setup is still missing the access to the "children" pseudo-attribute of "^cn=[^,]+,ou=users,dc=ouba,dc=org$", you won't be able to add any entry without it.

Add a

access to dn.regex="^cn=[^,]+,ou=users,dc=ouba,dc=org$" attrs=children
       by self write

directive to see it work.

The first one is

... useless ...

to autorise only one level because the second
one give implicit write permission to the children attribute.

Then, in order to modify easily the entry with phpldapadmin, I
have to add this ACL :

access to dn.base="cn=SubSchema" attrs="objectClasses,attributeTypes,ldapSyntaxes"
by anonymous none
by users read

According to RFC 2251 (3.2.2. Subschema Entries and Subentries) the server MUST give access to the values in the subschemaSubentry of the entries whose modification is allowed, so that clients can see what's the schema for the write operations they're going to perform. So, as soon as an identity is allowed to perform a write operation, you must give it access to the appropriate contents of the "cn=subschema". Apparently, phpldapadmin is a wise client.

Now, I have a little problem, because in reality, when I look
for the log, it seems the $2 is not expanded correctly :

then use <by dn.regex="^$2$$" write>.

Note, however, that there is no #2 substring in your <what> pattern: I only see one set of round brackets.


SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497