[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd and permissions

To: Jernej Kos <kostko@jweb-network.net>
Subject: Re: slapd and permissions
From: Pierangelo Masarati <ando@sys-net.it>
Date: Sat, 10 Apr 2004 13:15:24 +0200
Cc: openldap-software@OpenLDAP.org
References: <200404091449.41210.kostko@jweb-network.net> <200404101228.40181.kostko@jweb-network.net> <4077CE93.4070501@sys-net.it> <200404101253.21311.kostko@jweb-network.net>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

Jernej Kos wrote:

So, how would the conf directive look like ? Something like:

access to dn.regex="ou=Domains,uid=(.*),ou=Drones,dc=unimatrix-one,dc=org" attrs=children by dn.regex="uid=$1,ou=Drones,dc=unimatrix-one,dc=org" write by * read


white space is important; attrs=children must not start in first column

access to dn.regex="^ou=Domains,uid=([^,]+),ou=Drones,dc=unimatrix-one,dc=org$"
		attrs=children
       by dn.exact,expand="uid=$1,ou=Drones,dc=unimatrix-one,dc=org" write
       by * read
access to dn.regex="^[^,]+,ou=Domains,uid=([^,]+),ou=Drones,dc=unimatrix-one,dc=org$"
		attrs=entry,@extensibleObject
       by dn.exact,expand="uid=$1,ou=Drones,dc=unimatrix-one,dc=org" write
       by * read

this should do the trick (in 2.2; in 2.1 I'm not sure the "exact,expand" style works; in case, "regex" would suffice). Replace "@extensibleObject" with a list of objectClasses you want to allow, and the leading "^[^,]+" with a stricter regex if you want to further limit what type of RDNs one can add (e.g. "^cn=[^,]+" if you want RDNs to start with "cn=".

Note that all of this is clearly written in the man page.

p.

?
And how do i "and to the pseudoattribute "entry" of the entry you want to add" ?

On Saturday 10 of April 2004 12:38, Pierangelo Masarati wrote:
Jernej Kos wrote:

Well, i would like that users would be able to add or change all objects below their "Domains".
you need to explicitly add write access to the pseudo attribute
"children" of the
parent entry, and to the pseudoattribute "entry" of the entry you want
to add.
See also http://www.openldap.org/faq/data/cache/189.html
Where can i get slapd.access of 2.2
In 2.2 sources; from the CVS; ...
(there is only 2.1 on
openldap.org site).
On Friday 09 of April 2004 15:38, Pierangelo Masarati wrote:

OK. Now you should specify what kind of write access you need and you don't get with this ACL. In slapd.acces(5) of 2.2 you'll find a clear description of the access level you need to each portion of an entry for each operation. You should also indicate what identity you're using; you could look at logging with level 16 (ACL) to see whhere in the ACL check your access fails.
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497


   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

Follow-Ups:
- Re: slapd and permissions
  - From: Jernej Kos <kostko@jweb-network.net>

References:
- slapd and permissions
  - From: Jernej Kos <kostko@jweb-network.net>
- Re: slapd and permissions
  - From: Jernej Kos <kostko@jweb-network.net>
- Re: slapd and permissions
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: slapd and permissions
  - From: Jernej Kos <kostko@jweb-network.net>

Prev by Date: Re: slapd and permissions
Next by Date: Re: slapd and permissions
Index(es):
- Chronological
- Thread