Hi,
I adopted the address book sample from the FAQ but I want to have a separate hierarchy. Also included there: The public address book.
Why? Because on the client I need to enter only one base and the global book automatically merges with the global one.
This are my current ACLs:
# admin is allowed to do all access to * by dn.exact="uid=admin,ou=int,ou=users,dc=example,dc=com" write by * break
access to attrs=userPassword by anonymous auth by self =wscx by * none
access to attrs=shadowLastChange,sambaNTPassword,sambaLMPassword by self =wscx by * none
# individual books # read the own book access to dn.regex="^ou=([^,]+),ou=Address Book,dc=example,dc=com$" attrs=entry,@organizationalUnit by dn.exact,expand="uid=$1,ou=int,ou=users,dc=example,dc=com" read by * break
# create children in address book access to dn.regex="^ou=([^,]+),ou=Address Book,dc=example,dc=com$" attrs=children by dn.exact,expand="uid=$1,ou=int,ou=users,dc=example,dc=com" write by * break
# create entries access to dn.regex="[^,]+,ou=([^,]+),ou=Address Book,dc=example,dc=com$" attrs=entry,@inetOrgPerson by dn.exact,expand="uid=$1,ou=int,ou=users,dc=example,dc=com" write by * break
# global access to dn.exact="ou=Address Book,dc=example,dc=com" by dn.regex="^uid=[^,]+,ou=int,ou=users,dc=example,dc=com$" read by * break
access to dn.subtree="ou=global,ou=Address Book,dc=example,dc=com" by dn.regex="^uid=[^,]+,ou=int,ou=users,dc=example,dc=com$" read by * break
# "reader" should be able to read anything else (libnss-ldap etc). access to * by dn="uid=reader,dc=example,dc=com" read by self read by * none
Now I want the users to be also able to create their own container under ou=Address book.
What is the correct ACL entry for that?
Best regards, Luke
PS: Is the ACL layout bad in common? What would you change?