openldap/tests/data/slapd-acl.conf
Emmanuel Dreyfus 7f085e8b8b The fix to ITS#4556 broke this test: modifying objectClass was forbidden
for anyone, and since LDAP additions now check for attribute write access,
the addition now fails.

Allowing objectClass write access for the user that performs the LDAP
addtition fixes the problem.

Approved by ando@
2008-10-04 10:12:11 +00:00

149 lines
5.5 KiB
Plaintext

# master slapd config -- for testing
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2008 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or, alternatively, at
## <http://www.OpenLDAP.org/license.html>.
include @SCHEMADIR@/core.schema
include @SCHEMADIR@/cosine.schema
include @SCHEMADIR@/inetorgperson.schema
include @SCHEMADIR@/openldap.schema
include @SCHEMADIR@/nis.schema
pidfile @TESTDIR@/slapd.1.pid
argsfile @TESTDIR@/slapd.1.args
# global ACLs
#
# normal installations should protect root dse, cn=monitor, cn=subschema
#
access to dn.exact="" attrs=objectClass
by users read
access to *
by * read
#mod#modulepath ../servers/slapd/back-@BACKEND@/
#mod#moduleload back_@BACKEND@.la
#monitormod#modulepath ../servers/slapd/back-monitor/
#monitormod#moduleload back_monitor.la
#######################################################################
# database definitions
#######################################################################
database @BACKEND@
suffix "dc=example,dc=com"
directory @TESTDIR@/db.1.a
rootdn "cn=Manager,dc=example,dc=com"
rootpw secret
#bdb#index objectClass eq
#bdb#index cn,sn,uid pres,eq,sub
#hdb#index objectClass eq
#hdb#index cn,sn,uid pres,eq,sub
#ndb#dbname db_1
#ndb#include @DATADIR@/ndb.conf
#access to attrs=objectclass dn.subtree="dc=example,dc=com"
access to attrs=objectclass
by dn.exact="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" add
by * =rsc stop
#access to filter="(objectclass=person)" attrs=userpassword dn.subtree="dc=example,dc=com"
access to filter="(objectclass=person)" attrs=userpassword
by anonymous auth
by self =wx
access to dn.exact="cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com"
attrs=cn val="Mark A Elliot"
by dn="cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read
by * break
access to dn.exact="cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com"
attrs=cn val="Mark Elliot"
by dn="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read
by * break
access to dn.exact="cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com"
attrs=cn
by * search
access to dn.exact="cn=John Doe,ou=Information Technology Division,ou=People,dc=example,dc=com"
attrs=cn val.regex="^John D.+"
by dn="cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read
by * break
access to dn.exact="cn=John Doe,ou=Information Technology Division,ou=People,dc=example,dc=com"
attrs=cn val.regex="^Jonath.+"
by dn="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read
by * break
access to dn.exact="cn=John Doe,ou=Information Technology Division,ou=People,dc=example,dc=com"
attrs=cn
by * search
access to dn.onelevel="ou=Information Technology Division,ou=People,dc=example,dc=com"
filter="(cn=*Jensen)"
attrs=cn val.regex=".*Jensen$"
by dn="cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read
by dn="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" read
by * break
access to dn.exact="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com"
attrs=cn
by * search
access to dn.children="ou=Alumni Association,ou=People,dc=example,dc=com"
by dn.regex=".+,dc=example,dc=com" +c continue
by dn.subtree="dc=example,dc=com" +rs continue
by dn.children="dc=example,dc=com" +d continue
by * stop
#access to attrs=member,uniquemember dn.subtree="dc=example,dc=com"
access to attrs=member,uniquemember
by dn.exact="cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com" selfwrite
by dnattr=member selfwrite
by dnattr=uniquemember selfwrite
by * read
#access to attrs=member,uniquemember filter="(mail=*com)" dn.subtree="dc=example,dc=com"
access to attrs=member,uniquemember filter="(mail=*com)"
by * read
#access to filter="(|(objectclass=groupofnames)(objectClass=groupofuniquenames))" dn.subtree="dc=example,dc=com"
access to filter="(|(objectclass=groupofnames)(objectClass=groupofuniquenames))"
by dn.exact="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" =sc continue
by dn.regex="^cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com$" +rw stop
by * break
access to dn.children="ou=Information Technology Division,ou=People,dc=example,dc=com"
by group/groupOfUniqueNames/uniqueMember.exact="cn=ITD Staff,ou=Groups,dc=example,dc=com" write
by * read
access to dn.exact="cn=Alumni Assoc Staff,ou=Groups,dc=example,dc=com"
by set="[cn=Alumni Assoc Staff,ou=Groups,dc=example,dc=com]/member* & user" write
by * read
#access to filter="(name=X*Y*Z)" dn.subtree="dc=example,dc=com"
access to filter="(name=X*Y*Z)"
by * continue
access to dn.subtree="ou=Add & Delete,dc=example,dc=com"
by dn.exact="cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" add
by dn.exact="cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" delete
by dn.exact="cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com" write
by * read
# fall into global ACLs
#monitor#database monitor