[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Help for special ACL needed

Florian Götz <f.goetz@hs-mannheim.de> writes:

> A warm "Hello" from germany to the openldap-technical list!
> I´m rather new to OpenLDAP, using version 2.4.12 on a SLES11 server.
> I need to write an ACL which allows a user to see his own entry (objectClass 
> build up on inetOrgPerson) and nothing else.
> I know that this isn´t the intended use of the LDAP system, but our manager 
> wants it that way.
> I tried it with somekind of that:
> access to dn.regex="uid=([^,]+),dc=justushere,dc=de$" attrs=entry
>   by dn.regex="uid=$1,ou=Users,dc=justushere,dc=de" write
>   by users none
> but I just get a message about invalid credentials.
> Used command was:
> ldapsearch -xWD uid=user1,ou=users,dc=justushere,dc=de uid=user1

According to your ACL's a subtree search is not allowed.
> ldapsearch -xWD cn=admin,dc=justushere,dc=de uid=user1  with the rootdn 
> account shows the information, but if the uid of the user1 is used for binding 
> it fails.
> Has  anyone an idea how to realize these restrictions?

access to dn.regex="^uid=([^,]+),dc=justushere,dc=de$"
       attrs=entry,more attrs
        by dn.exact,expand="uid=$1,ou=Users,dc=justushere,dc=de" write
        by * none

ldapsearch - -xDW -b uid=user1,ou=users,dc=justushere,dc=de -s base 
should do what you want.


Dieter Klünter | Systemberatung
sip: +49.180.1555.7770535