Hi,

I try to implement certain ACLs, but apparently something goes wrong. I read a lot about ACLs, and I do not understand what I do wrong. Maybe someone on this list can help.

I use the Debian (lenny) version of openLDAP (version 2.4.11-1), with phpldapadmin as frontend. I use cn=config

I try to achieve the following:

*) No anonymous access *) Users can change their own attributes/children *) LDAP managers are listed in a groupOfNames *) Customers should have READ access to their parent entry, and all children of their parent (siblings) *) Specific users below a customer should have WRITE access to their parent, and all siblings (users are member of a specific groupOfNames)

I have the following ACLs in olcAccess (sanitized, on multiple lines for readability, with group/groupOfNames/member abbt. to g/gON/m below):

{0}to attrs=userPassword,shadowLastChange by dn.base="cn=admin,ou=roles,dc=exm,dc=com" write by g/gON/m.exact="cn=ldapadm,ou=groups,dc=exm,dc=com" write by g/gON/m.exact="cn=repl,ou=roles,dc=exm,dc=com" read by anonymous auth by self write by * none

{1}to dn.base="" by * read

{2}to dn.regex="ou=([^,]+),ou=cust,ou=people,dc=exm,dc=com" by dn.exact,expand="cn=[^,]+,ou=$1,ou=cust,ou=people,dc=exm,dc=com" read by g/gON/m.exact,expand="cn=$1,ou=cust,ou=people,dc=exm,dc=com" write by * none

{3}to attrs=mail,entry by dn.exact="cn=admin,ou=roles,dc=exm,dc=com" write by g/gON/m.exact="cn=ldapadm,ou=groups,dc=exm,dc=com" write by self write by * read

{4}to * by dn.exact="cn=admin,ou=roles,dc=exm,dc=com" write by g/gON/m.exact="cn=ldapadm,ou=groups,dc=exm,dc=com" write by anonymous search by self write by * none

Explanation:

{0} superuser, admins and self can change passwords. Replicators can read, anonymous can authenticate, and others have no access.

{1} Is added to get some result, gives read access to the top level of the directory. It shows 'cn=config', and 'dc=exm,dc=com'

{2} Is the ACL which I expected to work. The 'to' clause matches any customer in that branch The first 'by' matches any member in a group with the same name The second 'by' matches any entry below this customer The last 'by' denies other access

{3} Is there, because the email address is used for login (matching dn is looked up, and then used to bind. See documentation of phpldapadmin).

{4} Is there, so I can actually do something (My dn is in the mentioned group)

I played with a different order and the like, but I do not get what I want. When I enable logging (olcLogLevel = ACL), I get some info, but it is hard to determine where it goes wrong.

Regarding {2}: *) I also prepended the 'to' with '.+,' to match everything below, but to no avail. *) I also tried the 'by' clauses with 'dn=regex' instead of 'dn.exact'

Questions:

1) What is it I do wrong? 2) How can I troubleshoot these issues (ACL validator available?)

If more info is needed, please let me know.

Marcel