[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: "inverse" ACL



Hi,
is there an efficent way to do


access by group/organizationalRole/roleOccupant="cn=ds-manager,(.*)$"
to dn.sub="$1" write


with OpenLDAP ACLs?

I'm afraid there's nothing like what you need; you may try to
do something this way:


access to dn.regex=".*(cn=.+)$"
by group/organizationalRole/roleOccupant.regex="cn=ds-manager,$1" read
# ...


maybe in an incremental form:

access to dn.regex=".*([^,]+),dc=example,dc=com"
by group/organizationalRole/roleOccupant.regex="cn=ds-manager,$1,dc=example,dc= com" read


access to dn.regex=".*([^,]+,[^,]+),dc=example,dc=com"
by group/organizationalRole/roleOccupant.regex="cn=ds-manager,$1,dc=example,dc= com" read


access to dn.regex=".*([^,]+,[^,]+,[^,]+),dc=example,dc=com"
by group/organizationalRole/roleOccupant.regex="cn=ds-manager,$1,dc=example,dc= com" read


access to dn.regex=".*([^,]+,[^,]+,[^,]+,[^,]+),dc=example,dc=com"
by group/organizationalRole/roleOccupant.regex="cn=ds-manager,$1,dc=example,dc= com" read


with the required depth ...

Pierangelo.

Dr. Pierangelo Masarati               | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale                | fax:   +39 02 2399 8334
Politecnico di Milano                 | mailto:pierangelo.masarati@polimi.it
via La Masa 34, 20156 Milano, Italy   | http://www.aero.polimi.it/~masarati