[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL that makes me crazy

Julien Buratto wrote:

'llo there :-D

I've a tree like:

ou=login,o=linkas,c=it # This is where I store users
ou=info,o=linkas,c=it  # This is where I store data

user "myself" should access:  ou=1,ou=info,o=linkas,c=it
user "himself" should access: ou=2,ou=info,o=linkas,c=it
user "herself" should access: ou=3,ou=info,o=linkas,c=it

I want each user be owner of its own tree but I don't want each other see other's contents

# This should deny access to anyone, but hey!, keep on reading
access to dn.children="ou=info,o=linkas,c=it"
    by users read continue
        by * none
# This should allow each user to have access on its own branch
access to dn.subtree="ou=1,ou=info,o=linkas,c=it"
        by dn.base="uid=myself,ou=login,o=linkas,c=it" write
access to dn.subtree="ou=2,ou=info,o=linkas,c=it"
        by dn.base="uid=himself,ou=login,o=linkas,c=it" write
access to dn.subtree="ou=3,ou=info,o=linkas,c=it"
        by dn.base="uid=herself,ou=login,o=linkas,c=it" write

No way to get it :-(

What's the meaning of "no way"? Do you get everybody to read everything, or anybody reading anything? I'm asking because this seems to be a very simplified and incomplete portion of your ACLs. Moreover, what software version are you using? In any case, try adding

access to attrs=userPassword
   by self =xw
   by * auth

or, if you wish, a more specific

access to dn.subtree="ou=login,o=linkas,c=it" attrs=userPassword
   by self =xw
   by * auth

before any other rule; instead of your first rule, you should use

access to dn.base="ou=info,o=linkas,c=it" attrs=children
   by users =w

if you need to let your users add/delete their own info baseObject.
You can safely omit all the "by * none" clauses; as clearly stated in slapd.access(5) and in the FAQ, that's the default, so it's pointless.

the rest of your rules look fine.

   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497