[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: regex in group ACL

To: François Beretti <francois.beretti@enatel.com>
Subject: Re: regex in group ACL
From: Pierangelo Masarati <ando@sys-net.it>
Date: Thu, 07 Oct 2004 17:13:53 +0200
Cc: OpenLDAP Mail List <openldap-software@OpenLDAP.org>
References: <41617BB4.9090106@enatel.com> <41618B94.8020106@sys-net.it> <41625492.2090408@enatel.com> <41628B51.70105@sys-net.it> <4163CE79.306@enatel.com> <4163E4A2.4030000@sys-net.it> <41641A50.7050809@enatel.com> <416465C1.6030408@sys-net.it> <4164FF6F.9000501@enatel.com> <39723.131.175.154.56.1097142236.squirrel@131.175.154.56> <41652B1D.401@enatel.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

François,

I (finally) understood your problem (at least I think), and my answer is that currently there's no means to do that even with sets (which are not as magic as I thought, although very versatile). As such, I just extended them in HEAD code to allow subsearches when resolving DNs by means of the URI form. If you have a chance to try HEAD code, the following (yet undocumented) access rule sshould do the trick (just tested with a similar setup of yours):

access to dn.regex=".*,(cn=exampleSSOStorageV2,uid=[^,]+,ou=Users,dc=example,dc=com)$" by set.expand="[ldap:///$1??subtree?(objectClass=exampleSSOAccountDelegation)]/exampleUserEntityObject & user" read

which means: everything below "cn=exampleSSOStorageV2,uid=[^,]+,ou=Users,dc=example,dc=com" with arboitrary "uid" is accessible by users listed in its branches under the "exampleUserEntityObject" attribute of entries with "exampleSSOAccountDelegation" objectClass.

Ciao, p.

   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

References:
- regex in group ACL
  - From: François Beretti <francois.beretti@enatel.com>
- Re: regex in group ACL
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: regex in group ACL
  - From: François Beretti <francois.beretti@enatel.com>
- Re: regex in group ACL
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: regex in group ACL
  - From: François Beretti <francois.beretti@enatel.com>
- Re: regex in group ACL
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: regex in group ACL
  - From: François Beretti <francois.beretti@enatel.com>
- Re: regex in group ACL
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: regex in group ACL
  - From: François Beretti <francois.beretti@enatel.com>
- Re: regex in group ACL
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: regex in group ACL
  - From: François Beretti <francois.beretti@enatel.com>

Prev by Date: Re: regex in group ACL
Next by Date: Does slurpd replicates changes immediately after they are made?
Index(es):
- Chronological
- Thread