acls help

20 Jul 2010


      Hello,
Im using Phamm, its an php-web front-end to manage ldap postfix virtual 
hosting mail env. at my Fedora 11 box (openldap 2.4.15-7).
Its designed to manage multi roles access:
Admin/Manager (full access)
postmaster (manage accounts under own domain)
account/user (manage own account only)
Install instructions from Phamm autor, recommends to do an include at 
end of slapd.conf to phamm.acl file.
But its not working here, only Admin or Manager (rootdn) can write changes.
User postmaster cannot write and account users have read only access as 
well.
Below I post phamm.acl, Please, Can anyone help me with this acls 
issue?  Thanks!  Juliano.
--- phamm.acl ---
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" 
attrs=userPassword
     by dn="cn=admin,dc=example,dc=tld" write
         by self write
         by anonymous auth
         by 
dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" write
         by set.expand="user/vd & [$1]" write
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" 
attrs=amavisBypassVirusChecks,quota,smtpAuth,accountActive
     by dn="cn=admin,dc=example,dc=tld" write
         by self read
         by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read
         by set.expand="user/editAccounts & [TRUE]" write
         by 
dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" read
         by set.expand="user/vd & [$1]" write
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" 
attrs=cn,sn,uid,forwardActive,vacationActive,vacationInfo,vacationStart,vacationEnd,vacationForward,amavisSpamTagLevel,amavisSpamTag2Level,amavisSpamKillLevel
     by dn="cn=admin,dc=example,dc=tld" write
         by self write
         by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read
         by 
dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" write
         by set.expand="user/vd & [$1]" write
access to dn.regex="^.*,vd=([^,]+),o=hosting,dc=example,dc=tld$" 
attrs=editAccounts
     by dn="cn=admin,dc=example,dc=tld" write
         by self read
         by set.expand="user/editAccounts & [TRUE]" write
         by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read
         by * none
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" 
attrs=objectClass,entry
     by dn="cn=admin,dc=example,dc=tld" write
         by self write
         by anonymous read
         by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read
         by set.expand="user/editAccounts & [TRUE]" write
         by 
dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" read
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" 
attrs=amavisBypassSpamChecks,accountActive,delete
     by dn="cn=admin,dc=example,dc=tld" write
         by self read
         by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read
         by 
dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" write
         by set.expand="user/vd & [$1]" write
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" 
attrs=otherPath
     by dn="cn=admin,dc=example,dc=tld" write
         by anonymous read
         by self read
         by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read
         by 
dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" read
         by set.expand="user/vd & [$1]" write
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" 
attrs=createMaildir,vdHome,mailbox,otherTransport
     by dn="cn=admin,dc=example,dc=tld" write
         by self read
         by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read
         by set.expand="user/vd & [$1]" read
access to dn.regex="^(.+,)?vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=vd
     by dn="cn=admin,dc=example,dc=tld" write
         by self write
         by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read
         by 
dn.exact,expand="cn=postmaster,vd=$2,o=hosting,dc=example,dc=tld" write
         by set.expand="user/vd & [$2]" write
access to dn.regex="^(.+,)?vd=([^,]+),o=hosting,dc=example,dc=tld$"
     by dn="cn=admin,dc=example,dc=tld" write
         by self write
         by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read
         by set.expand="user/editAccounts & [FALSE]" read
         by 
dn.exact,expand="cn=postmaster,vd=$2,o=hosting,dc=example,dc=tld" write
         by set.expand="user/vd & [$2]" write
access to dn.regex=".+,o=hosting,dc=example,dc=tld$"
     by dn="cn=admin,dc=example,dc=tld" write
         by self write
         by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read
         by anonymous auth
access to dn.regex=".+,dc=tld$"
         by dn="cn=admin,dc=example,dc=tld" write
         by dn.exact="cn=phamm,o=hosting,dc=example,dc=tld" read
         by anonymous auth
access to dn.regex=".+,ou=admin,dc=example,dc=tld$" attrs=userPassword
     by dn="cn=admin,dc=example,dc=tld" write
         by self write
         by anonymous auth
access to dn.regex=".+,ou=admin,dc=example,dc=tld$" attrs=vd
     by dn="cn=admin,dc=example,dc=tld" write
         by self read
access to dn.regex="ou=admin,dc=example,dc=tld$"
     by dn="cn=admin,dc=example,dc=tld" write
         by self read
--- end ---

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

acls help