[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL with val.regex expression
Am Fri, 11 Oct 2013 16:35:34 -0400
schrieb Mark Dieterich <mkd@cs.brown.edu>:
> Hi all,
>
> I'm banging my head against a wall trying to get one particular ACL
> setup. We want our users, with the exception of those that have a
> restricted shell, to be able to change their own shell values. A
> typical user looks like:
>
> dn: uid=user,ou=people,dc=cs,dc=brown,dc=edu
> objectClass: top
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: krb5Principal
> objectClass: sambaSamAccount
> objectClass: ownCloudUser
> objectClass: mailUser
> ...
> loginShell: /bin/bash
>
> We'd ideally like to have an ACL in place that looks like:
>
> access to dn.subtree="ou=people,dc=cs,dc=brown,dc=edu"
> attrs=loginShell val.regex="/bin/[^f][^s][^h]"
> by ssf=128 self write
> by * read
>
> The idea being that a user with a loginShell value of /bin/fsh would
> NOT be allowed to change their shell value. However, with this rule
> in place, no user is able to change their shell value. Even if I
> change the rule to be:
>
> access to dn.subtree="ou=people,dc=cs,dc=brown,dc=edu"
> attrs=loginShell val.exact="/bin/bash"
> by ssf=128 self write
> by * read
>
> users with loginShell of /bin/bash still can't change their own
> values. If I drop the val.<type>="<whatever>" restriction, users can
> change their shell values just fine. This the first time I've ever
> used and ACL with a val.<type>= restriction, but I've scoured the
> internet and I can't for the life of me figure out what I'm doing
> wrong. I'm happy to have someone here give me a dope slap... I'm
> just tired of the headaches ;)
You should probably check with slapacl(8).
-Dieter
--
Dieter KlÃnter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53Â37'09,95"N
10Â08'02,42"E