Re: Rights to create a new entry

[Mailing List <mailinglist@kikamedical.net>]

After a lot of tries, I manage to autorise a user to
create a subentry of it own entry with the following
ACL :

access to dn.regex="[^,]+,(cn=[^,]+,ou=users,dc=ouba,dc=org)$" 
attrs="children"
        by anonymous none
        by users none

access to dn.regex="[^,]+,(cn=[^,]+,ou=users,dc=ouba,dc=org)$"
        by dn.exact,expand="$2" write
        by anonymous none
        by users none

The first one is to autorise only one level because the second
one give implicit write permission to the children attribute.

Then, in order to modify easily the entry with phpldapadmin, I
have to add this ACL :

access to dn.base="cn=SubSchema" 
attrs="objectClasses,attributeTypes,ldapSyntaxes"
        by anonymous none
        by users read

Now, I have a little problem, because in reality, when I look
for the log, it seems the $2 is not expanded correctly :

Dec  1 15:54:24 smtp slapd[26346]: <= check a_dn_pat: $2

I'm with an openldap 2.1.30, should I upgrade to 2.2.x
serie ? Because my distribution (Gentoo) doesn't have
ebuild for this version (only a test ebuild).
Perhaps my syntax is not correct, but into the 2.1.x man
pages slapd.access, the expand, regex, etc ... are not
described well.

Thanks ...

Denis


Mailing List wrote:
> Hi,
>
> I would like to autorize my users to create new entry
> below their own. I read a lot of thing into the faq,
> I manage to get ACL give the right to write to an
> entry below a specific entry, but impossible to give
> the right to create a brand new entry. In the log file,
> it claims about access to "cn=SubSchema".
>
> Can someone say me what are the minimum rights to create
> a new entry ?
>
> Thanks in advance
>
> Cordially
>
> Denis