[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL for object creation in subtree with specific attributes and object classes



Am Tue, 5 Aug 2014 22:41:54 +0200
schrieb Simeon Ott <simeon.ott@onnet.ch>:

> On 05.08.2014, at 18:03, Dieter Klünter <dieter@dkluenter.de> wrote:
> 
> 
> can you help me finding the applied rule during the write process of
> an object with uid=1234? i used other objectclasses and attributes,
> which are not in the allowed attribute list. the debugging output is
> attached to this email. the current acl set is listed below.
[...]
> access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$" attrs=@CourierMailAccount,@inetOrgPerson,@top,@Vacation,entry,cn,sn,homeDirectory,vacationActive,vacationInfo,vacationForward,smtpRelayFlag,description,displayName,givenName,homePhone,homePostalAddress,initials,mobile,postalAddress,postalCode,l,telephoneNumber,title
> by self write by
> dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write by
> * read
> 
> access to dn.regex="^ou=(.+),ou=domains,dc=mydomain$" attrs=children
> 	by
> dn.base,expand="cn=postmaster,ou=$1,ou=domains,dc=mydomain" write by
> * read

This 2 rule sets are applied, objectClasses are expanded and all
attribute types of this objectclassses are write allowed. the
restricting attribute types are not considered, as @<objectClass> is
applied and matched.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E