On Tue, 2008-09-02 at 09:59 -0600, Rich Megginson wrote:
> Rich Megginson wrote:
>
>> Craig White wrote:
>>
>>> On Thu, 2008-08-28 at 13:53 -0700, Craig White wrote:
>>>
>>>
>>>> I have users personal address books as an ou under their accounts...
>>>>
>>>> ou=AddressBook,uid=craig,ou=People,ou=Accounts,dc=example,dc=com
>>>>
>>>> but when I try to add an entry, I am blocked...
>>>>
>>>> [28/Aug/2008:12:42:11 -0700] conn=18613 op=1 ADD
>>>>
dn="cn=Test,ou=AddressBook,uid=craig,ou=People,ou=Accounts,dc=example,dc=com"
>>>>
>>>> [28/Aug/2008:12:42:11 -0700] conn=18613 op=1 RESULT err=50 tag=105
>>>> nentries=0 etime=0
>>>>
>>>> I need an ACi that allows each uid account to read/write entries in
>>>> OU's
>>>> under their own accounts and the only ACi's I have are the ones
>>>> inherited
>>>>
>>>>
>>> ----
>>> It would be great if I could get some help here.
>>>
>>>
>> The ACL Summary error log level can provide some clues.
>>
http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting
>>
>>> I know that in OpenLDAP, ACL's are processed top down and so I'm
looking
>>> at the ACi's that would govern here.
>>>
>>> dc=example,dc=com has the following ACI (the second one after anonymous
>>> access)...
>>>
>>> (targetattr = "carLicense ||description ||displayName
>>> ||facsimileTelephoneNumber ||homePhone ||homePostalAddress
>>> ||initials ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo
>>> ||postOfficeBox ||postalAddress ||postalCode
>>> ||preferredDeliveryMethod ||preferredLanguage ||registeredAddress
>>> ||roomNumber ||secretary ||seeAlso ||st ||street ||telephoneNumber
>>> ||telexNumber ||title ||userCertificate ||userPassword
>>> ||userSMIMECertificate ||x500UniqueIdentifier")
>>> (version 3.0;
>>> acl "Enable self write for common attributes";
>>> allow (write)
>>> (userdn = "ldap:///self")
>>> ;)
>>>
>>> and I added one more (it's on the bottom of the list - #7)...
>>>
>>> (targetattr = "*") (version 3.0;acl "Personal Address
Books";allow
>>> (write)(userdn = "ldap:///self");)
>>>
> Have you tried the "add" right, to allow users to add entries under
> their entries?
> *http://tinyurl.com/3yo88r*
>
> I'm not sure if self will work here - you might have to use a macro ACI
> in which the uid part of the target matches the uid part of the subject
> - see
>
http://tinyurl.com/59ehxh
>
----
I'm not sure if 'self' will work here either...nothing seems to work.
This is the ACL that works for me in OpenLDAP...
access to
dn.regex="^ou=AddressBook,uid=([^,]+),ou=People,dc=example,dc=com$$"
attrs=children,entry,inetOrgPerson,organizationalPerson
by dn.exact,expand="uid=$1,ou=People,dc=example,dc=com" write
by dn.exact="uid=administrator,ou=People,dc=example,dc=com"
write
by * none
This looks like a macro ACI. Have you tried a macro ACI in conjunction
with the "add" right?
I am hesitant to fool with the access control while there are people
working on the network but the above is exactly what I want to work in
Fedora-DS
Craig
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users