Re: Problem with ACL and regex

[Dieter Kluenter <dieter@dkluenter.de>]

Hi,

"Michael Hamann" <mail@mhamann.net> writes:

> Hi,
>
> removing the break leads to the right direction. Now a normal user can
> access the global book and his own user level (only his own) but - as last
> error he can´t access his private addressbook under his user level
> (cn=mmaier,ou=user,dc=cw is accessible but not
> (ou=addressbook,cn=mmaier,ou=user,dc=cw). I´ve played again with the
> options for hours today but I have really problems understanding how these
> ACLs should work...
>
> So my actual config is:

> access to dn.regex="ou=addressbook,cn=(.+),ou=user,dc=cw"
>          by self write
>          by dn="cn=admin,ou=user,dc=cw" write
>          by * auth
[...]

This wouldn't work in the intended way, ask yourself "who is self" in
this case?  There is an example in version 2.2.6 man slapd.access(5)
that matches your requirements. In case you don't have 2.2.6

,----[ man slapd.access ]
| access to dn.regex="^(.+,)?cn=([^,]+),ou=users,dc=cw$$"
|        by dn.exact,expand="cn=$1,ou=users,dc=cw" write
`----


That is, 'cn=any user,ou=users,dc=wc' has write access to his subtree

-Dieter

-- 
Dieter Kluenter  | Systemberatung
Tel:040.64861967 | Fax: 040.64891521
mailto: dkluenter(at)dkluenter.de
http://www.avci.de