Re: ldap ACLS with regex

Thanks for the help, Pierangelo, but still not working

Pierangelo Masarati escreveu:

What about a brute force approach, piping /dev/random into slapd.conf?

How can I do this ?

Or, try (please replace "dc=suffix" with your suffix; I had to use it otherwise my mailer would automatically wrap stuff)

# allow to write the "ou=ImPrefs" below self (must exist) access to dn.regex="^ou=ImPrefs,uid=([^,]+,ou=People,dc=suffix)$" by dn.exact,expand="uid=$2" write

This isn't work, user1reads ImPrefs from others users and can't write self ImPrefs. But my follow regex works fine:

access to dn.regex="^.*,uid=([^,]+),(.*),ou=People,dc=ucs,dc=br$" by dn.exact,expand="uid=$1,$2,ou=People,dc=ucs,dc=br" write by * none

# allow to create objects in one's addressbook (must exist) access to dn.regex="cn=([^,]+),ou=PersonalAddressBook,dc=suffix$" attrs=children by dn.exact,expand="uid=$1,ou=People,dc=suffix" write

# allow to create objects in one's addressbook access to dn.regex="(.+,)?cn=([^,]+),ou=PersonalAddressBook,dc=suffix$" by dn.exact,expand="uid=$2,ou=People,dc=suffix" write

I tried this and not work :-(

I tried also to adapt of my ldap estructure:

access to dn.regex="ou=([^,]+),cn=*,ou=PersonalAddressBook,dc=suffix$" by dn.exact,expand="uid=$1,*,ou=People,dc=ucs,dc=br" write

but not work. It's not so easy :-(

I note that if you need to do something special, like allow a user to create the "ou=ImPrefs" entry, or the "cn=<uid>" entry in "ou=PersonalAddressBook,dc=suffix", then you'll need more rules to allow entry and children writing.

None work yet. I set debug ACL in my slapd.conf and get this log when I try to change self personaladdressbook whit the ACL:

access to dn.regex="ou=([^,]+),cn=*,ou=PersonalAddressBook,dc=suffix$" by dn.exact,expand="uid=$1,*,ou=People,dc=ucs,dc=br" write

LOG: slapd[3497]: modifications: slapd[3497]: ^Ireplace: mail slapd[3497]: ^I^Ione value, length 14 slapd[3497]: conn=0 op=12 MOD dn="cn=foo bar,ou=user1,ou=PersonalAddressBook,dc=suffix" slapd[3497]: conn=0 op=12 MOD attr=mail slapd[3497]: bdb_dn2entry("cn=foo bar,ou=user1,ou=personaladdressbook,dc=suffix") slapd[3497]: bdb_modify: cn=foo bar,ou=user1,ou=PersonalAddressBook,dc=suffix slapd[3497]: bdb_dn2entry("cn=foo bar,ou=user1,ou=personaladdressbook,dc=suffix") slapd[3497]: bdb_modify_internal: 0x00021fa3: cn=foo bar,ou=user1,ou=PersonalAddressBook,dc=suffix slapd[3497]: => access_allowed: delete access to "cn=foo bar,ou=user1,ou=PersonalAddressBook,dc=suffix" "mail" requested slapd[3497]: => dnpat: [4] ^.*,uid=([^,]+),(.*),ou=People,dc=suffix$ nsub: 2 slapd[3497]: => dnpat: [5] ou=([^,]+),cn=*,ou=PersonalAddressBook,dc=suffix$ nsub: 1 slapd[3497]: => acl_get: [6] attr mail slapd[3497]: access_allowed: no res from state (mail) slapd[3497]: => acl_mask: access to entry "cn=foo bar,ou=user1,ou=PersonalAddressBook,dc=suffix", attr "mail" requested May 15 09:27:36 ops2 slapd[3497]: => acl_mask: to all values by "uid=user1,ou=npdu,ou=prad,ou=reit,ou=people,dc=suffix", (=0) slapd[3497]: <= check a_dn_pat: * slapd[3497]: <= acl_mask: [1] applying read(=rscxd) (stop) slapd[3497]: <= acl_mask: [1] mask: read(=rscxd) slapd[3497]: => access_allowed: delete access denied by read(=rscxd) slapd[3497]: bdb_modify: modify failed (50) slapd[3497]: send_ldap_result: conn=0 op=12 p=3 slapd[3497]: send_ldap_result: err=50 matched="" text="" slapd[3497]: send_ldap_response: msgid=13 tag=103 err=50 slapd[3497]: conn=0 op=12 RESULT tag=103 err=50 text=

If you have more suggestions, please let me know.