[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: group.regex not implemented?

To: dietzold@imise.uni-leipzig.de
Subject: Re: group.regex not implemented?
From: Pierangelo Masarati <masarati@aero.polimi.it>
Date: Sun, 4 Nov 2001 23:30:56 +0100 (MET)
Cc: openldap-software@OpenLDAP.org
In-reply-to: <Pine.GSO.4.40.0111041525020.20527-100000@fink> from Sebastian Dietzold at Nov "4," 2001 "03:41:27" pm

> 
> Hi There,
> 
> The last 4 hours i try to write an acl that give rights to an object for a
> role (or group). i make a test-server for this with these 3 aci's:
> 
> my tree consists of more than on organisation-subtrees und c=de.
> i want to make a rule that gives the OrganizationAdministratorRole (or
> group) all rights for his subtree:
> 
> 
> ---
> access to dn="^c=de$" by * read

you should do 

access to dn.base="c=de" by * read

if you mean everybody has read access to the "c=de" entry.

> 
> # THIS RULE IS IGNORED BY THE SERVER
> access to dn="o=(.+),c=de$"
>   by group.regex="^cn=admin,ou=Groups,o=$1,c=de$" write
>   by * none

then you need 

access to dn="o=(.+),c=de$"
	by group.regex="^cn=admin,ou=Groups,o=$1,c=de$" write
	by * auth

otherwise "cn=admin,ou=Groups,o=.+,c=de" won't be able to
access its entry in order to bind.

The best you can do is:

access to dn="o=(.+),c=de$" attrs=userPassword
	by group.regex="^cn=admin,ou=Groups,o=$1,c=de$" write
	by * auth

access to dn="o=(.+),c=de$"
	by group.regex="^cn=admin,ou=Groups,o=$1,c=de$" write
	by * none


Pierangelo.

References:
- group.regex not implemented?
  - From: Sebastian Dietzold <dietzold@imise.uni-leipzig.de>

Prev by Date: Re: Creating indexes
Next by Date: performance problem with sldap
Index(es):
- Chronological
- Thread