[ILUG] ACL issue

Bernhard D Rohrer graylion at sm-wg.net
Sat Oct 4 15:16:55 IST 2008 

Hi guys

I have a problem in that I can happily edit entries in my LDAP-based 
address book, but when I try to delete them I am getting "insufficient 
permissions"

I am loading these schemas:

# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/rfc2307bis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/evolutionperson.schema
include /etc/ldap/schema/mozillaabpersonalpha.schema
include /etc/ldap/schema/greenmta.schema
include /etc/ldap/schema/samba.schema

the relevant part of the ACL is:

# Access to users personal addressbooks

# allow read of addressbook by owner and egwadmin account
access to dn.regex="^cn=([^,]+),ou=personal,ou=contacts,dc=graylion,dc=net$"
        attrs=entry
        by dn.regex="uid=$1,ou=users,dc=graylion,dc=net" read
        by dn.regex="cn=admin,dc=graylion,dc=net" write
        by users none

# allow user to create entries in own addressbook; no-one else can access it
# needs write access to the entries ENTRY attribute ...
access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,dc=graylion,dc=net$"
        attrs=children
        by dn.regex="uid=$1,ou=users,dc=graylion,dc=net" write
        by users none

# ... and the entries CHILDREN
access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,dc=graylion,dc=net$"
        attrs=entry, at inetOrgPerson, at mozillaAbPersonAlpha, at evolutionPerson
, at inetOrgPerson, at mozillaAbPersonAlpha, at evolutionPerson
        by dn.regex="uid=$1,ou=users,dc=graylion,dc=net" write
        by users none

# Access to groups addressbooks

# allow read of addressbook by members and egwadmin account
access to dn.regex="^cn=([^,]+),ou=shared,ou=contacts,dc=graylion,dc=net$"
        attrs=entry
        by group.expand="cn=$1,ou=groups,dc=graylion,dc=net" read
        by dn.regex="cn=admin,dc=graylion,dc=net" write
        by users none

# allow members to create entries in there group addressbooks; no-one 
else can access it
# needs write access to the entries ENTRY attribute ...
access to dn.regex="cn=([^,]+),ou=shared,ou=contacts,dc=graylion,dc=net$"
        attrs=children
        by group.expand="cn=$1,ou=groups,dc=graylion,dc=net" write
        by users none

# ... and the entries CHILDREN
access to dn.regex="cn=([^,]+),ou=shared,ou=contacts,dc=graylion,dc=net$"
        attrs=entry, at inetOrgPerson, at mozillaAbPersonAlpha, at evolutionPerson
        by group.expand="cn=$1,ou=groups,dc=graylion,dc=net" write
        by users none

I am having a strong feeling that my porblem is somewhere in here:

access to dn.regex="cn=([^,]+),ou=shared,ou=contacts,dc=graylion,dc=net$"
        attrs=entry, at inetOrgPerson, at mozillaAbPersonAlpha, at evolutionPerson
        by group.expand="cn=$1,ou=groups,dc=graylion,dc=net" write
        by users none

but cannot make sense of it.

cheers

Bernhard

-- 
Graylion's Fetish & Fashion Store
Goth and Kinky Boots, Clothing and Jewellery
http://www.graylion.net

More information about the ILUG mailing list