Re: [389-users] ACI Confusion (New to 389 Came from OL):

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, 2009-07-25 at 14:17 -0500, Anthony Messina wrote:
> Hello, firstly, thanks for 389!  I have just migrated my small domain from OL 
> to 389 DS including some basic replication and have found it to be a solid, 
> reliable and quick system.
> 
> I am however having a lot of confusion with ACIs.  I am trying to create ACIs 
> with the same specificity that I had with OL and eGroupWare 
> (http://egroupware.org), but can't seem to get one of them figured out.
> 
> This is what I'm trying to accomplish (in OL format):
> access to 
> dn.regex="^ou=personal,ou=contacts,ou=([^,]+),o=eGroupWare,dc=messinet,dc=com$"
>         attrs=children
>         by dn.exact="uid=egwadmin,o=eGroupWare,dc=messinet,dc=com" write
>         by * none
> 
> access to 
> dn.regex="^cn=([^,]+),ou=personal,ou=contacts,ou=([^,]+),o=eGroupWare,dc=messinet,dc=com$"
>         attrs=entry
>         by dn.exact="uid=egwadmin,o=eGroupWare,dc=messinet,dc=com" write
>         by 
> dn.exact,expand="uid=$1,ou=accounts,ou=$2,o=eGroupWare,dc=messinet,dc=com" 
> read
>         by * none
> 
> access to 
> dn.regex="cn=([^,]+),ou=personal,ou=contacts,ou=([^,]+),o=eGroupWare,dc=messinet,dc=com$"
>         by dn.exact="uid=egwadmin,o=eGroupWare,dc=messinet,dc=com" write
>         by 
> dn.exact,expand="uid=$1,ou=accounts,ou=$2,o=eGroupWare,dc=messinet,dc=com" 
> write
>         by * none
> 
> I have tried using the following in 389 DS to no avail.
> On the ou=messinet.com,ou=eGW,dc=messinet,dc=com entry...
> 
> (targetattr = "*") (target = 
> "ldap:///cn=($dn),ou=personal,ou=contacts,ou=messinet.com,ou=eGW,dc=messinet,dc=com") 
> (version 3.0;acl "eGW personal addressbook access";allow 
> (read,compare,search,write,delete,add)(userdn = 
> "ldap:///uid=($dn),ou=accounts,ou=messinet.com,ou=eGW,dc=messinet,dc=com");)
> 
> I need to have the uid of the binding user be matched to the cn of the tree 
> root for personal contacts.
> 
> How would I allow access by the bind user of:
> "uid=example_user,ou=accounts,ou=messinet.com,ou=eGW,dc=messinet,dc=com"
> to the entry and subentries of:
> cn=example_user,ou=personal,ou=contacts,ou=messinet.com,ou=eGW,dc=messinet,dc=com"
> 
> References to the suggested ACLs (for OL) are here:
> http://svn.egroupware.org/egroupware/trunk/addressbook/doc/README
> http://svn.egroupware.org/egroupware/trunk/addressbook/doc/acl_addressbook.conf
> http://svn.egroupware.org/egroupware/trunk/phpgwapi/doc/ldap/acl_egw_addressbook.conf
<snip>
Hmm . . . I've never used an ACI swapping attributes as your are (CN for
UID) but I would think it should work.  Out of curiosity, if you set the
user's CN = UID and then rewrite the ACI to be ldap://($dn),....., does
it work?

I'm eager to see what more knowledgeable folks have to say.  Good luck -
John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@xxxxxxxxxxxxxxxxxxx

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society

--
389 users mailing list
389-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users

[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux