Am Fri, 11 Oct 2013 16:35:34 -0400 schrieb Mark Dieterich <[email protected]>:
> Hi all, > > I'm banging my head against a wall trying to get one particular ACL > setup. We want our users, with the exception of those that have a > restricted shell, to be able to change their own shell values. A > typical user looks like: > > dn: uid=user,ou=people,dc=cs,dc=brown,dc=edu > objectClass: top > objectClass: inetOrgPerson > objectClass: posixAccount > objectClass: shadowAccount > objectClass: krb5Principal > objectClass: sambaSamAccount > objectClass: ownCloudUser > objectClass: mailUser > ... > loginShell: /bin/bash > > We'd ideally like to have an ACL in place that looks like: > > access to dn.subtree="ou=people,dc=cs,dc=brown,dc=edu" > attrs=loginShell val.regex="/bin/[^f][^s][^h]" > by ssf=128 self write > by * read > > The idea being that a user with a loginShell value of /bin/fsh would > NOT be allowed to change their shell value. However, with this rule > in place, no user is able to change their shell value. Even if I > change the rule to be: > > access to dn.subtree="ou=people,dc=cs,dc=brown,dc=edu" > attrs=loginShell val.exact="/bin/bash" > by ssf=128 self write > by * read > > users with loginShell of /bin/bash still can't change their own > values. If I drop the val.<type>="<whatever>" restriction, users can > change their shell values just fine. This the first time I've ever > used and ACL with a val.<type>= restriction, but I've scoured the > internet and I can't for the life of me figure out what I'm doing > wrong. I'm happy to have someone here give me a dope slap... I'm > just tired of the headaches ;) You should probably check with slapacl(8). -Dieter -- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95"N 10°08'02,42"E
