[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL problem

To: "Feifei Jia" <shenmue71@gmail.com>
Subject: Re: ACL problem
From: "Samuel Tran" <stran@amnh.org>
Date: Sat, 29 Oct 2005 11:59:10 -0400 (EDT)
Cc: "openldap" <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <7522130a0510290428k5e8f05e6ie6b0a86778ba5ec9@mail.gmail.com>
References: <7522130a0510260553q1de0c6edk9510d187edf9d234@mail.gmail.com> <1130335875.14145.1.camel@mistral> <7522130a0510261912w7c588332j6681fe88ec0be66a@mail.gmail.com> <1130441554.19753.34.camel@mistral> <7522130a0510272231l2098fb3dy446edd0b1d4caea6@mail.gmail.com> <1130509896.23198.9.camel@mistral> <7522130a0510290428k5e8f05e6ie6b0a86778ba5ec9@mail.gmail.com>
User-agent: SquirrelMail/1.4.4

> On 10/28/05, Samuel Tran <stran@amnh.org> wrote:
>> On Fri, 2005-10-28 at 13:31 +0800, Feifei Jia wrote:
>> > On 10/28/05, Samuel Tran <stran@amnh.org> wrote:
>> > > On Thu, 2005-10-27 at 10:12 +0800, Feifei Jia wrote:
>> > > > On 10/26/05, Samuel Tran <stran@amnh.org> wrote:
>> > > > > On Wed, 2005-10-26 at 20:53 +0800, Feifei Jia wrote:
>> > > > > > Hi there,
>> > > > > >
>> > > > > > What I want to do is:
>> > > > > >
>> > > > > > Let the RDN under ou=Admin,dc=com have write permission to the
>> RDN
>> > > > > > like uid=foo,ou=People,dc=com
>> > > > > >
>> > > > >
>> > > > > Do you want any entries in ou=Admin,dc=com to be able to write
>> to any
>> > > > > entries in ou=People,dc=com?
>> > > > >
>> > > > > Sam
>> > > > >
>> > > > >
>> > > >
>> > > > Yes, that's exactly what I want to do. Could you tell me how to
>> acheive this?
>> > >
>> > > Try this:
>> > >
>> > > access to dn.subtree="ou=People,dc=com"
>> > >         by dn.one="ou=Admin,dc=com" write
>> > >
>> > > Sam
>> > >
>> >
>> > If I want to use regex to let DN like
>> > "uid=test,ou=Admin,dc=demo1,dc=com" can write to entries in
>> > "ou=People,dc=demo1,dc=com", and change "demo1" to "([^,]+)" , what
>> > should I do? It seems I cannot combine subtree with regex.
>> >
>>
>> According to man slapd.access, this should work for you:
>>
>> access to dn.regex="^(.+,)?ou=People,dc=([^,]+),dc=com$"
>>         by dn.one,expand="ou=Admin,dc=$1,dc=com"
>>
>> Let me know if it is fine.
>>
>> Sam
>>
>>
>
> It seems not work, only get "Insufficient access (50)" error :(
> Maybe "dn,one" is not a good choice?

Sorry I forgot the access field. It should be:

access to dn.regex="^(.+,)?ou=People,dc=([^,]+),dc=com$"
	by dn.one,expand="ou=Admin,dc=$1,dc=com" write


'dn.one' should be sufficient. If it still doesn't work, could you please
send an extract your ldap logs?

--
Sam

References:
- ACL problem
  - From: Feifei Jia <shenmue71@gmail.com>
- Re: ACL problem
  - From: Samuel Tran <stran@amnh.org>
- Re: ACL problem
  - From: Feifei Jia <shenmue71@gmail.com>
- Re: ACL problem
  - From: Samuel Tran <stran@amnh.org>
- Re: ACL problem
  - From: Feifei Jia <shenmue71@gmail.com>
- Re: ACL problem
  - From: Samuel Tran <stran@amnh.org>
- Re: ACL problem
  - From: Feifei Jia <shenmue71@gmail.com>

Prev by Date: Re: ACL problem
Next by Date: Re: Hosting Multiple domains with the same ending dc?
Index(es):
- Chronological
- Thread