[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs on OUs and their children/leaves

To: openldap-software@OpenLDAP.org
Subject: Re: ACLs on OUs and their children/leaves
From: Markus Wernig <listener@wernig.net>
Date: Mon, 21 Feb 2005 21:43:50 +0100
In-reply-to: <42176B2D.1060902@sys-net.it>
References: <4217266C.5090409@wernig.net> <42176B2D.1060902@sys-net.it>
User-agent: Mozilla Thunderbird 1.0 (X11/20041206)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Pierangelo Masarati wrote:

|> access to dn.sub="ou=users,dc=domain,dc=tld"
|> ~       by dnattr="ou" write
|
|
| This is wrong because, as the name says, you need to set "dnattr" to an
| attribute that is DN-valued (or nameAndOptionalUID-valued, like
| uniqueMember).  The solution to your problem is:
|
| access to dn.regex="(.+,)?(ou=[^,]+,ou=users,dc=domain,dc=tld)$"
|    by dn.exact,expand="$2" write
|
| i.e. grab the terminal portion of the DN and use it to compare with the
| identity of the operation.
|
Ciao Pierangelo

Thank you very much - this solved my problem.
I'm a bit puzzled, though ... I didn't find any reference to the
backreferencing capabilities of slapd's regex (expand=$2) in the manuals
that I read. Does anybody know where to find the appropriate
documentation (besides in the code)?

thx markus
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCGkgG8BX/d8pVi/cRAmQ8AJ4kvZqBIITPanOWdnGPDvi2roGx7gCdEN4o
0jeWbG+UkuecP6yusQ+6i1g=
=S5vr
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: ACLs on OUs and their children/leaves
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

References:
- ACLs on OUs and their children/leaves
  - From: Markus Wernig <listener@wernig.net>
- Re: ACLs on OUs and their children/leaves
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: RE: Openldap scalability issues
Next by Date: Re: ACLs on OUs and their children/leaves
Index(es):
- Chronological
- Thread