[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL for object creation in subtree with specific attributes and object classes

Am Tue, 5 Aug 2014 16:26:44 +0200
schrieb Simeon Ott <simeon.ott@onnet.ch>:

> 
> On 05.08.2014, at 15:00, Dieter Klünter <dieter@dkluenter.de> wrote:
> 
> > Am Tue, 5 Aug 2014 13:39:13 +0200
> > schrieb Simeon Ott <simeon.ott@onnet.ch>:
> > 
> >> On 05.08.2014, at 11:39, Dieter Klünter <dieter@dkluenter.de>
> >> wrote:
> >> 
> >>> Am Tue, 5 Aug 2014 09:41:36 +0200
> >>> schrieb Simeon Ott <simeon.ott@onnet.ch>:
> >>> 
> >>>> […]
> >>>> 	by
> >>>> dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write
> >>>> by
> >>>> * read access to * 
> >>>> 	by dn.base="cn=admin,dc=mydomain" write
> >>>> 	by * read
> >>>> 
> >>>> ACL rule 4 allows the postmaster to add objects to it's "domain"
> >>>> without any restrictions. How can i restrict the object creation
> >>>> to specific object classes and attributes? Let's say postmaster
> >>>> should only be able to add objects like the following:
> >>> [...]
> >>> man slapd.access(5), the <WHAT> field: @<objectClass>
> >>> 
> >>> -Dieter
> >>> 
> >> 
> >> Thanks Dieter, I tried the following already … instead of rule 3
> >> and 4 i used the following:
> >> 
> >> access to
> >> dn.regex="^(.+,)?ou=(.+),ou=domains,dc=intra,dc=onnet,dc=ch$"
> >> attrs=@CourierMailAccount,@inetOrgPerson,@top,@Vacation,entry,vacationInfo,smtpRelayFlag,description,vacationForward,displayName,givenName,homePhone,homePostalAddress,initials,mobile,postalAddress,postalCode,l,telephoneNumber,title
> >> by self write by
> >> dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=intra,dc=onnet,dc=ch"
> >> write by * read
> >> 
> >> access to dn.regex="^ou=(.+),ou=domains,dc=intra,dc=onnet,dc=ch$"
> >> attrs=children by
> >> dn.base,expand="cn=postmaster,ou=$1,ou=domains,dc=intra,dc=onnet,dc=ch"
> >> write by * read
> >> 
> >> As postmaster I'm still able to add objects to it's domain. But I'm
> >> also able to add other objectclasses and attributes.
> >> 
> >> I think I mess around with the attributes entry and children  –
> >> anyone help me cleaning up? :-)
> > 
> > run slapd in debugging mode acl and watch the rule number applied
> > to a write operation.
> > 
> 
> Okay, this didn't really help, but thanks anyway. I'm not familiar
> with reading those logs. i adjusted the loglevel to 128 to see the
> acl processing. but it's still a huge amount of log lines when adding
> such an ldif. i thought it's gonna be an easy task.

I am talking about debugging, not logging!
man slapd(8)

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E