Hi,
it should be so simple ... I thought.
At first some things worked, but than I messed something up and now I'm completely confused.
What I want (sooner or later):
- users should authenticate using posix and samba accounts. - they may change there password. - they may look up other mail, phone, ... addresses in the ldap using Thunderbird or apple Addressbook - they may change there phone number and (may be) there postal address - admin users should be able to write and read everything.
- anonymous users may later read the mail and cn/sn attribute.
May be someone has such ACLs already set up and like to share them or can help me?
Would be great, cause reading the docs and experiment is helpful, but I did not ended in a working secure, flexible, understandable setup.
Thanks a lot and best regards.
/Götz
On 16/11/10 10:51 +0100, Götz Reinicke - IT-Koordinator wrote:
it should be so simple ... I thought.
At first some things worked, but than I messed something up and now I'm completely confused.
What I want (sooner or later):
- users should authenticate using posix and samba accounts.
- they may change there password.
- they may look up other mail, phone, ... addresses in the ldap using
Thunderbird or apple Addressbook
they may change there phone number and (may be) there postal address
admin users should be able to write and read everything.
anonymous users may later read the mail and cn/sn attribute.
May be someone has such ACLs already set up and like to share them or can help me?
Would be great, cause reading the docs and experiment is helpful, but I did not ended in a working secure, flexible, understandable setup.
We haven't deployed address books, but you might still find our approach useful as a starting point. We intend to provide individual address books for users to manage themselves, but we do not allow users to search for or find other users. I've cut out all the group/admin related configuration for simplicity.
access to dn.regex="ou=addressbook,uid=([^,]+),ou=people,dc=example,dc=net$" by dn.regex="uid=$1,ou=people,dc=example,dc=net" write by * none
access to dn.regex=".*,ou=addressbook,uid=([^,]+),ou=people,dc=example,dc=net$" by dn.regex="uid=$1,ou=people,dc=example,dc=net" write by * none
access to dn.base="ou=people,dc=example,dc=net" by anonymous auth by users read by * none
access to dn.base="ou=groups,dc=example,dc=net" by users read by * none
access to dn.base="ou=aliases,dc=example,dc=net" by anonymous auth by users read by * none
access to attrs=userPassword,shadowLastChange,sambaPwdLastSet,sambaLMPassword,sambaNTPassword,krb5KeyVersio nNumber,krb5Key,cmusaslsecretOTP by anonymous auth by self write by * none
access to attrs=authzTo by anonymous auth by self read by * none
access to attrs=objectClass by anonymous auth by self read by * none
access to attrs=entry,uidNumber by anonymous auth by self read by * none
access to dn.base="" by * read
openldap-technical@openldap.org
-
Dan White -
Götz Reinicke - IT-Koordinator