Jeronimo Zucco wrote:
Sam Tran escreveu:
access to dn.regex="^ou=ImpPrefs,uid=([^,]+),ou=People,dc=domain,dc=br$" attrs=children by dn.regex,expand="uid=$1,ou=people,dc=domain,dc=br" write by * none
access to dn.regex="^cn=([^,]+),ou=PersonalAddressBook,dc=domain,dc=br$" attrs=children by dn.regex,expand="uid=$1,ou=people,dc=domain,dc=br" write by * none
Sam
Thanks for the help for everyone.
ImpPrefs works ok with:
access to dn.regex="^.*,uid=([^,]+),(.*),ou=People,dc=domain,dc=br$" by dn.exact,expand="uid=$1,$2,ou=People,dc=domain,dc=br" write by * none
But PersonalAddressBook still with problems.
With: access to dn.regex="^cn=([^,]+),ou=PersonalAddressBook,dc=domain,dc=br$" attrs=children by dn.regex,expand="uid=$1,ou=people,dc=domain,dc=br" write by * none
Everyone access PersonalAddressBook from others.
With: access to dn.regex="^.*,(uid=[^,]+,.+,ou=People,dc=domain,dc=br)$" by dn.exact,expand="$1" write
Is to much permissive, I guess.
Your guess is wrong. They're perfectly equivalent, but mine is much more efficient. But please, keep guessing...
I try also: access to dn.regex="ou=([^,]+),ou=PersonalAddressBook,dc=domain,dc=br$" by dn.exact,expand="uid=$1,.*" write by anonymous read
Not work.
access to dn.regex="^.*,ou=([^,]+),ou=PersonalAddressBook,dc=domain,dc=br$" by dn.exact,expand="uid=$1,.*" write by anonymous read
not work either :-(
This is an ACL mistery :-)
If you have more suggestions, I will apreciate.
What about a brute force approach, piping /dev/random into slapd.conf?
Or, try (please replace "dc=suffix" with your suffix; I had to use it otherwise my mailer would automatically wrap stuff)
# allow to write the "ou=ImPrefs" below self (must exist) access to dn.regex="^ou=ImPrefs,uid=([^,]+,ou=People,dc=suffix)$" by dn.exact,expand="uid=$2" write
# allow to create objects in one's addressbook (must exist) access to dn.regex="cn=([^,]+),ou=PersonalAddressBook,dc=suffix$" attrs=children by dn.exact,expand="uid=$1,ou=People,dc=suffix" write
# allow to create objects in one's addressbook access to dn.regex="(.+,)?cn=([^,]+),ou=PersonalAddressBook,dc=suffix$" by dn.exact,expand="uid=$2,ou=People,dc=suffix" write
I note that if you need to do something special, like allow a user to create the "ou=ImPrefs" entry, or the "cn=<uid>" entry in "ou=PersonalAddressBook,dc=suffix", then you'll need more rules to allow entry and children writing.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------