Craig White wrote:
This looks like a macro ACI. Have you tried a macro ACI in conjunction with the "add" right?On Tue, 2008-09-02 at 09:59 -0600, Rich Megginson wrote:Rich Megginson wrote:Have you tried the "add" right, to allow users to add entries under their entries?Craig White wrote:The ACL Summary error log level can provide some clues. http://directory.fedoraproject.org/wiki/FAQ#TroubleshootingOn Thu, 2008-08-28 at 13:53 -0700, Craig White wrote:I have users personal address books as an ou under their accounts... ou=AddressBook,uid=craig,ou=People,ou=Accounts,dc=example,dc=com but when I try to add an entry, I am blocked... [28/Aug/2008:12:42:11 -0700] conn=18613 op=1 ADDdn="cn=Test,ou=AddressBook,uid=craig,ou=People,ou=Accounts,dc=example,dc=com"[28/Aug/2008:12:42:11 -0700] conn=18613 op=1 RESULT err=50 tag=105 nentries=0 etime=0I need an ACi that allows each uid account to read/write entries in OU'sunder their own accounts and the only ACi's I have are the ones inherited---- It would be great if I could get some help here.I know that in OpenLDAP, ACL's are processed top down and so I'm looking at the ACi's that would govern here. dc=example,dc=com has the following ACI (the second one after anonymous access)...(targetattr = "carLicense ||description ||displayName ||facsimileTelephoneNumber ||homePhone ||homePostalAddress ||initials ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo ||postOfficeBox ||postalAddress ||postalCode ||preferredDeliveryMethod ||preferredLanguage ||registeredAddress ||roomNumber ||secretary ||seeAlso ||st ||street ||telephoneNumber ||telexNumber ||title ||userCertificate ||userPassword ||userSMIMECertificate ||x500UniqueIdentifier")(version 3.0; acl "Enable self write for common attributes"; allow (write) (userdn = "ldap:///self";) ;) and I added one more (it's on the bottom of the list - #7)...(targetattr = "*") (version 3.0;acl "Personal Address Books";allow (write)(userdn = "ldap:///self";);)*http://tinyurl.com/3yo88r*I'm not sure if self will work here - you might have to use a macro ACI in which the uid part of the target matches the uid part of the subject - seehttp://tinyurl.com/59ehxh---- I'm not sure if 'self' will work here either...nothing seems to work. This is the ACL that works for me in OpenLDAP... access to dn.regex="^ou=AddressBook,uid=([^,]+),ou=People,dc=example,dc=com$$" attrs=children,entry,inetOrgPerson,organizationalPerson by dn.exact,expand="uid=$1,ou=People,dc=example,dc=com" write by dn.exact="uid=administrator,ou=People,dc=example,dc=com" write by * none
I am hesitant to fool with the access control while there are people working on the network but the above is exactly what I want to work in Fedora-DS Craig -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
<<attachment: smime.p7s>>
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
