maiku
l33t
Joined: 24 Mar 2004
Posts: 601
Location: Escaping from NY
|
 Posted: Wed Oct 24, 2007 4:51 am Post subject: LDAP ACL help |
 |
|
I'm very fairly new to LDAP ACL programming. I tried to set it up so that I could have remote address books and sync them as well as have user accounts in LDAP. Of course what ended up happening is that I couldn't get any other machine on the network to authenticate with the server's LDAP. Then I got a from my co-worker saying that qmail wasn't delivering any mail because it thought the mailboxes for users in LDAP didn't exist.
| Quote: | access to dn.regex="^uid=[^,]+,ou=People,dc=teknetronic,dc=com$"
by set.expand="(user/uid) &
[cn=Administrators,ou=Group,dc=teknetronic,dc=com]/memberUid" write
by anonymous auth
by self write
by * none
# allow admins to add new accounts to the tree
access to dn.regex="^ou=People,dc=teknetronic,dc=com$"
attrs=children
by set.expand="(user/uid) &
[cn=Administrators,ou=Group,dc=teknetronic,dc=com]/memberUid" write
by * none
# allow users readonly access to accounts in their own domain
access to dn.regex="ou=People,dc=teknetronic,dc=com$"
attrs=entry
by dn.children="ou=People,dc=teknetronic,dc=com" read
by users none break
by * none
#######################################################################
#
# Access to groups
#
#######################################################################
# allow admins to add new groups to the tree
access to dn.regex="^ou=Group,dc=teknetronic,dc=com$"
attrs=children
by set.expand="(user/uid) &
[cn=Administrators,ou=Group,dc=teknetronic,dc=com]/memberUid" write
by * none
#######################################################################
#
# Access to personal addressbooks
#
#######################################################################
# allow admins to add new personal addressbooks to the tree
access to dn.regex="^ou=personal,ou=contacts,dc=teknetronic,dc=com$"
attrs=children
by set.expand="(user/uid) &
[cn=Administrators,ou=Group,dc=teknetronic,dc=com]/memberUid" write
by * none
# allow admins to add new personal addressbooks
# user can read the addressbooks only
access to
dn.regex="^cn=([^,]+),ou=personal,ou=contacts,dc=teknetronic,dc=com$"
attrs=entry
by dn.exact,expand="uid=$1,ou=People,dc=teknetronic,dc=com" read
by set.expand="(user/uid) &
[cn=Administrators,ou=Group,dc=teknetronic,dc=com]/memberUid" write
by * none
# allow user and egwadmin to manage personal addressbook entries
access to
dn.regex="cn=([^,]+),ou=personal,ou=contacts,dc=teknetronic,dc=com$"
by dn.exact,expand="uid=$1,ou=People,dc=teknetronic,dc=com" write
by set.expand="(user/uid) &
[cn=Administrators,ou=Group,dc=teknetronic,dc=com]/memberUid" write
by * none
#######################################################################
#
# Access to group addressbooks
#
#######################################################################
# allow admins to add new group addressbooks to the tree
access to dn.regex="^ou=shared,ou=contacts,dc=teknetronic,dc=com$"
attrs=children
by set.expand="(user/uid) &
[cn=Administrators,ou=Group,dc=teknetronic,dc=com]/memberUid" write
by users none
# allow admins to add new group addressbooks
# groupmembers can read the addressbooks only
access to
dn.regex="^cn=([^,]+),ou=shared,ou=contacts,dc=teknetronic,dc=com$"
attrs=entry
by set.expand="(user/uid) &
[cn=Administrators,ou=Group,dc=teknetronic,dc=com]/memberUid" write
by set.expand="(user/uid) &
[cn=$1,ou=Group,dc=teknetronic,dc=com]/memberUid" write
by * none
# allow groups and egwadmin to manage group addressbook entries
access to dn.regex="cn=([^,]+),ou=shared,ou=contacts,dc=teknetronic,dc=com$"
by set.expand="(user/uid) &
[cn=Administrators,ou=Group,dc=teknetronic,dc=com]/memberUid" write
by set.expand="(user/uid) &
[cn=$1,ou=Group,dc=teknetronic,dc=com]/memberUid" write
by * none |
Any help on optimizing and suggestions would be very welcome.
_________________
Michael |
|
Networking & Security
