[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Sets in ACLs
> I found an answer to a question about group recursion I posted a while
> ago. The Answer is to use Sets... This feature is not very properly
> documented and as such I am having a bit of trouble.
>
> I have an acl like the following:
> access to dn.regex="^(ou=[^,]+(,?[^,]*,?)*ou=directory)$"
> attrs=entry
> by set.regex="([cn=alter,$1])/uniqueMember* & user" write
> by set.regex="([cn=read,$1])/uniqueMember* & user" read
>
> Which basically gives users access to a certain ou if they or their
> group is listed in the read/alter groups below the ou. Anyway the above
> entry works as expected. However if I alter the by set clauses to any
> one of the following it does not work:
>
> by set.regex="([cn=alter,]+[$1])/uniqueMember* & user" write
> ^ Only change to concatenate instead
^^^ the "+" operator is in 2.3 only, as stated in the FAQ
<http://www.openldap.org/faq/data/cache/1133.html>
> by set="([cn=alter,]+this])/uniqueMember* & user" write
> ^ ^ Can't I use "this" to expand to the ou?
> No regex expansion
^^^ see above; note that there's an extra "]" in the above expression
right after "this".
>
> I am also wondering is there a this/children I can use to expand to the
> set of all children of 'this'?
Not that I know. Patches are welcome (hint: use an internal search with
"this" as base and "one" as scope; search for DN only, i.e. "1.1" as
requested attribute; use the rootDN as identity for the internal search,
as it is performed to determine access rights and, as such, might incur in
an endless loop).
p.
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497