[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: AW: AW: acl help - no write access to parent
- To: Tiefnig Daniel <daniel.tiefnig@infonova.at>
- Subject: Re: AW: AW: acl help - no write access to parent
- From: Terry Davis <tdavis@birddog.com>
- Date: Wed, 19 Sep 2001 13:59:40 -0500
- Cc: openldap-software@OpenLDAP.org
- In-reply-to: <CD576BEA0509D511A2A7000629D573DE1C483D@exmail.infonova.at>
- References: <CD576BEA0509D511A2A7000629D573DE1C483D@exmail.infonova.at>
- User-agent: Internet Messaging Program (IMP) 2.3.7-cvs
YA!
That worked.
Now I just need to restrict access based on that.
--
Terry Davis
Systems Administrator
BirdDog Solutions, Inc.
(402) 829-6059
Quoting Tiefnig Daniel <daniel.tiefnig@infonova.at>:
> > Wow, this is really frustrating. :)
>
> i know.. :o)
>
> > I am getting insufficient access now if I try to bind with
> > a valid username and
> > password which works if I change the acl a bit. Here is
> > what I have exactly:
> >
> > access to dn=".*uid=([^,]+),ou=People,dc=birddog,dc=com"
> > by dn="uid=$1,ou=People,dc=birddog,dc=com" write
> > access to *
> > by self write
> > by * read
>
> and this doesn't work..? um.. try this one to ensure ACLs work as
> expected..
>
> access to dn=".*,uid=([^,]+),ou=People,dc=birddog,dc=com"
> by dn="uid=$1,ou=People,dc=birddog,dc=com" write
> access to *
> by self write
> by * read
>
> note the comma in the first line, after the ".*". this will match only all
> _subentries_ of the uid=<user>,ou=People,dc=birddog,dc=com and give the
> "uid=<user>" write access to them, while the user-entry itself will be
> match
> with the second acl ("access to *") and give everybody read access, so auth
> should be possible at all circumstances..
>
> daniel
>
-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/