[389-users] ACI Confusion (New to 389 Came from OL):

Anthony Messina <amessina@xxxxxxxxxxxx> · Sat, 25 Jul 2009 14:17:39 -0500

Hello, firstly, thanks for 389!  I have just migrated my small domain from OL 
to 389 DS including some basic replication and have found it to be a solid, 
reliable and quick system.

I am however having a lot of confusion with ACIs.  I am trying to create ACIs 
with the same specificity that I had with OL and eGroupWare 
(http://egroupware.org), but can't seem to get one of them figured out.

This is what I'm trying to accomplish (in OL format):
access to 
dn.regex="^ou=personal,ou=contacts,ou=([^,]+),o=eGroupWare,dc=messinet,dc=com$"
        attrs=children
        by dn.exact="uid=egwadmin,o=eGroupWare,dc=messinet,dc=com" write
        by * none

access to 
dn.regex="^cn=([^,]+),ou=personal,ou=contacts,ou=([^,]+),o=eGroupWare,dc=messinet,dc=com$"
        attrs=entry
        by dn.exact="uid=egwadmin,o=eGroupWare,dc=messinet,dc=com" write
        by 
dn.exact,expand="uid=$1,ou=accounts,ou=$2,o=eGroupWare,dc=messinet,dc=com" 
read
        by * none

access to 
dn.regex="cn=([^,]+),ou=personal,ou=contacts,ou=([^,]+),o=eGroupWare,dc=messinet,dc=com$"
        by dn.exact="uid=egwadmin,o=eGroupWare,dc=messinet,dc=com" write
        by 
dn.exact,expand="uid=$1,ou=accounts,ou=$2,o=eGroupWare,dc=messinet,dc=com" 
write
        by * none

I have tried using the following in 389 DS to no avail.
On the ou=messinet.com,ou=eGW,dc=messinet,dc=com entry...

(targetattr = "*") (target = 
"ldap:///cn=($dn),ou=personal,ou=contacts,ou=messinet.com,ou=eGW,dc=messinet,dc=com") 
(version 3.0;acl "eGW personal addressbook access";allow 
(read,compare,search,write,delete,add)(userdn = 
"ldap:///uid=($dn),ou=accounts,ou=messinet.com,ou=eGW,dc=messinet,dc=com");)

I need to have the uid of the binding user be matched to the cn of the tree 
root for personal contacts.

How would I allow access by the bind user of:
"uid=example_user,ou=accounts,ou=messinet.com,ou=eGW,dc=messinet,dc=com"
to the entry and subentries of:
cn=example_user,ou=personal,ou=contacts,ou=messinet.com,ou=eGW,dc=messinet,dc=com"

References to the suggested ACLs (for OL) are here:
http://svn.egroupware.org/egroupware/trunk/addressbook/doc/README
http://svn.egroupware.org/egroupware/trunk/addressbook/doc/acl_addressbook.conf
http://svn.egroupware.org/egroupware/trunk/phpgwapi/doc/ldap/acl_egw_addressbook.conf

Thank you very much in advance for your assistance.

-- 
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E

Attachment:
signature.asc

Description: This is a digitally signed message part.
--
389 users mailing list
389-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users