On Sat, 2009-07-25 at 14:17 -0500, Anthony Messina wrote: > Hello, firstly, thanks for 389! I have just migrated my small domain from OL > to 389 DS including some basic replication and have found it to be a solid, > reliable and quick system. > > I am however having a lot of confusion with ACIs. I am trying to create ACIs > with the same specificity that I had with OL and eGroupWare > (http://egroupware.org), but can't seem to get one of them figured out. > > This is what I'm trying to accomplish (in OL format): > access to > dn.regex="^ou=personal,ou=contacts,ou=([^,]+),o=eGroupWare,dc=messinet,dc=com$" > attrs=children > by dn.exact="uid=egwadmin,o=eGroupWare,dc=messinet,dc=com" write > by * none > > access to > dn.regex="^cn=([^,]+),ou=personal,ou=contacts,ou=([^,]+),o=eGroupWare,dc=messinet,dc=com$" > attrs=entry > by dn.exact="uid=egwadmin,o=eGroupWare,dc=messinet,dc=com" write > by > dn.exact,expand="uid=$1,ou=accounts,ou=$2,o=eGroupWare,dc=messinet,dc=com" > read > by * none > > access to > dn.regex="cn=([^,]+),ou=personal,ou=contacts,ou=([^,]+),o=eGroupWare,dc=messinet,dc=com$" > by dn.exact="uid=egwadmin,o=eGroupWare,dc=messinet,dc=com" write > by > dn.exact,expand="uid=$1,ou=accounts,ou=$2,o=eGroupWare,dc=messinet,dc=com" > write > by * none > > I have tried using the following in 389 DS to no avail. > On the ou=messinet.com,ou=eGW,dc=messinet,dc=com entry... > > (targetattr = "*") (target = > "ldap:///cn=($dn),ou=personal,ou=contacts,ou=messinet.com,ou=eGW,dc=messinet,dc=com") > (version 3.0;acl "eGW personal addressbook access";allow > (read,compare,search,write,delete,add)(userdn = > "ldap:///uid=($dn),ou=accounts,ou=messinet.com,ou=eGW,dc=messinet,dc=com");) > > I need to have the uid of the binding user be matched to the cn of the tree > root for personal contacts. > > How would I allow access by the bind user of: > "uid=example_user,ou=accounts,ou=messinet.com,ou=eGW,dc=messinet,dc=com" > to the entry and subentries of: > cn=example_user,ou=personal,ou=contacts,ou=messinet.com,ou=eGW,dc=messinet,dc=com" > > References to the suggested ACLs (for OL) are here: > http://svn.egroupware.org/egroupware/trunk/addressbook/doc/README > http://svn.egroupware.org/egroupware/trunk/addressbook/doc/acl_addressbook.conf > http://svn.egroupware.org/egroupware/trunk/phpgwapi/doc/ldap/acl_egw_addressbook.conf <snip> Hmm . . . I've never used an ACI swapping attributes as your are (CN for UID) but I would think it should work. Out of curiosity, if you set the user's CN = UID and then rewrite the ACI to be ldap://($dn),....., does it work? I'm eager to see what more knowledgeable folks have to say. Good luck - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@xxxxxxxxxxxxxxxxxxx http://www.spiritualoutreach.com Making Christianity intelligible to secular society -- 389 users mailing list 389-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
