fixed the ACL stuff, it was included in the wrong position

addressbook/doc/README

@@ -49,21 +49,43 @@ dc=domain,dc=com    base DN of your LDAP server
 The contact base DN must include the accounts and groups base DN, otherwise they will not be 
 searched AND the ACL given below does NOT work!
  
-The following ACL in slapd conf allow:
+The example acl_addressbook.conf allow:
--------------------------------------
+--------------------------------------
-- everyone to read the account addressbook
-- the user to edit his account (incl. password)
-- the egwadmin user for each domain to edit all accounts (eGW uses it when admins edit accounts)
 - only the user to read, edit or delete in his personal addressbook
-- group-members to read, edit or delete in their group addressbook
+- group-members to read, edit or delete in their group addressbook(s)
-
-Add or include the rows after the line behind the exiting ACL rules in your slapd.conf
 
 Please note: 
 -----------
+- You need to copy our example acl_addressbook.conf into your openldap conf dir.
 - You need to change all dc=domain,dc=com with the base DN your LDAP uses!!!
 - If you want to use the old mozillaOrgPerson schema, you need to change it here too!
----------------------------------------------------------------------------------------------------
+- You need to include "your" acl_addressbook.conf BEFORE the last acl entry (access to *) 
+  in your slapd.conf and restart the LDAP server. 
+  
+This is how the default ACL's in /etc/openldap/slapd.conf of my (SuSE 10.1) looks and 
+where I included it:
+
+access to dn.base=""
+        by * read
+
+access to dn.base="cn=Subschema"
+        by * read
+
+access to attrs=userPassword,userPKCS12
+        by self write
+        by * auth
+
+access to attrs=shadowLastChange
+        by self write
+        by * read
+
+include /etc/openldap/acl_addressbook.conf
+
+access to *
+        by * read
+
+---- acl_addressbook.conf --------------------------------------------------------
+
 # Access to users personal addressbooks
 
 # allow read of addressbook by owner and egwadmin account

addressbook/doc/acl_addressbook.conf

@@ -0,0 +1,43 @@
+# Access to users personal addressbooks
+
+# allow read of addressbook by owner and egwadmin account
+access to dn.regex="^cn=([^,]+),ou=personal,ou=contacts,o=([^,]+),dc=domain,dc=com$"
+	attrs=entry
+	by dn.regex="uid=$1,ou=accounts,o=$2,dc=domain,dc=com" read
+	by dn.regex="cn=egwadmin,o=$2,dc=domain,dc=com" write
+	by users none
+
+# allow user to create entries in own addressbook; no-one else can access it
+# needs write access to the entries ENTRY attribute ...
+access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,o=([^,]+),dc=domain,dc=com$"
+	attrs=children
+	by dn.regex="uid=$1,ou=accounts,o=$2,dc=domain,dc=com" write
+	by users none
+
+# ... and the entries CHILDREN
+access to dn.regex="cn=([^,]+),ou=personal,ou=contacts,o=([^,]+),dc=domain,dc=com$"
+	attrs=entry,@inetOrgPerson,@mozillaAbPersonAlpha,@evolutionPerson
+	by dn.regex="uid=$1,ou=accounts,o=$2,dc=domain,dc=com" write
+	by users none
+
+# Access to groups addressbooks
+
+# allow read of addressbook by members and egwadmin account
+access to dn.regex="^cn=([^,]+),ou=shared,ou=contacts,o=([^,]+),dc=domain,dc=com$"
+	attrs=entry
+	by group.expand="cn=$1,ou=groups,o=$2,dc=domain,dc=com" read
+	by dn.regex="cn=egwadmin,o=$2,dc=domain,dc=com" write
+	by users none
+
+# allow members to create entries in there group addressbooks; no-one else can access it
+# needs write access to the entries ENTRY attribute ...
+access to dn.regex="cn=([^,]+),ou=shared,ou=contacts,o=([^,]+),dc=domain,dc=com$"
+	attrs=children
+	by group.expand="cn=$1,ou=groups,o=$2,dc=domain,dc=com" write
+	by users none
+
+# ... and the entries CHILDREN
+access to dn.regex="cn=([^,]+),ou=shared,ou=contacts,o=([^,]+),dc=domain,dc=com$"
+	attrs=entry,@inetOrgPerson,@mozillaAbPersonAlpha,@evolutionPerson
+	by group.expand="cn=$1,ou=groups,o=$2,dc=domain,dc=com" write
+	by users none