[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Specifying write access for more then one user?
Markus Fischer wrote:
>
> Hi again,
>
> While playing around I've found the following works:
>
> > When I use the default permission set:
> >
> > access to attribute=userPassword
> > by dn="cn=admin1,ou=administrators,o=company,c=TLD" write
> > by anonymous auth
> > by self write
> > by * none
> >
> > access to *
> > by dn="cn=admin1,ou=administrators,o=company,c=TLD" write
> > by * read
> >
> [...]
> > by dn="cn=*,ou=administrators,o=company,c=TLD" write
>
> If I write
>
> by dn="ou=administartors,o=company,c=TLD" write
>
> All works without problems.
>
> Still I don't understand exactly why. At least, I don't
> understand why it does not work when I use "cn=*...".
You seem to be a bit confused about regex(7); what you want to obtain,
that is allow al administrators to write everything, is:
access to *
by dn="cn=.*,ou=administrators,o=company,c=TLD" write
by ...
Note the dot ( '.' means any char, '*' means zero or more occurrences).
A better solution would be
access to *
by dn="cn=[^,]+,ou=administrators,o=company,c=TLD" write
by ...
which means that you give that permission only to entries whose
rdn starts with a "cn" attribute that are exactly one level
below the "ou=administrators,o=company,c=TLD" level and that have
non-empty value. This can be made even more efficient (giving up
the starting "cn" check) by using
access to *
by dn.one="ou=administrators,o=company,c=TLD" write
by ...
which means that only entries exactly one level below
"ou=administrators,o=company,c=TLD" have that permission, saving
you the regexec() call.
See the FAQ for more ACL details.
Pierangelo.
--
Dr. Pierangelo Masarati | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale | fax: +39 02 2399 8334
Politecnico di Milano |
mailto:pierangelo.masarati@polimi.it
via La Masa 34, 20156 Milano, Italy |
http://www.aero.polimi.it/~masarati