Am Tue, 5 Aug 2014 16:26:44 +0200 schrieb Simeon Ott <[email protected]>:
> > On 05.08.2014, at 15:00, Dieter Klünter <[email protected]> wrote: > > > Am Tue, 5 Aug 2014 13:39:13 +0200 > > schrieb Simeon Ott <[email protected]>: > > > >> On 05.08.2014, at 11:39, Dieter Klünter <[email protected]> > >> wrote: > >> > >>> Am Tue, 5 Aug 2014 09:41:36 +0200 > >>> schrieb Simeon Ott <[email protected]>: > >>> > >>>> […] > >>>> by > >>>> dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write > >>>> by > >>>> * read access to * > >>>> by dn.base="cn=admin,dc=mydomain" write > >>>> by * read > >>>> > >>>> ACL rule 4 allows the postmaster to add objects to it's "domain" > >>>> without any restrictions. How can i restrict the object creation > >>>> to specific object classes and attributes? Let's say postmaster > >>>> should only be able to add objects like the following: > >>> [...] > >>> man slapd.access(5), the <WHAT> field: @<objectClass> > >>> > >>> -Dieter > >>> > >> > >> Thanks Dieter, I tried the following already … instead of rule 3 > >> and 4 i used the following: > >> > >> access to > >> dn.regex="^(.+,)?ou=(.+),ou=domains,dc=intra,dc=onnet,dc=ch$" > >> attrs=@CourierMailAccount,@inetOrgPerson,@top,@Vacation,entry,vacationInfo,smtpRelayFlag,description,vacationForward,displayName,givenName,homePhone,homePostalAddress,initials,mobile,postalAddress,postalCode,l,telephoneNumber,title > >> by self write by > >> dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=intra,dc=onnet,dc=ch" > >> write by * read > >> > >> access to dn.regex="^ou=(.+),ou=domains,dc=intra,dc=onnet,dc=ch$" > >> attrs=children by > >> dn.base,expand="cn=postmaster,ou=$1,ou=domains,dc=intra,dc=onnet,dc=ch" > >> write by * read > >> > >> As postmaster I'm still able to add objects to it's domain. But I'm > >> also able to add other objectclasses and attributes. > >> > >> I think I mess around with the attributes entry and children – > >> anyone help me cleaning up? :-) > > > > run slapd in debugging mode acl and watch the rule number applied > > to a write operation. > > > > Okay, this didn't really help, but thanks anyway. I'm not familiar > with reading those logs. i adjusted the loglevel to 128 to see the > acl processing. but it's still a huge amount of log lines when adding > such an ldif. i thought it's gonna be an easy task. I am talking about debugging, not logging! man slapd(8) -Dieter -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
