[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL problem

To: Feifei Jia <shenmue71@gmail.com>
Subject: Re: ACL problem
From: Samuel Tran <stran@amnh.org>
Date: Mon, 31 Oct 2005 10:47:43 -0500
Cc: openldap <openldap-software@OpenLDAP.org>
In-reply-to: <7522130a0510310545g69e0e01drf4de54f3f27a6522@mail.gmail.com>
References: <7522130a0510260553q1de0c6edk9510d187edf9d234@mail.gmail.com> <1130335875.14145.1.camel@mistral> <7522130a0510261912w7c588332j6681fe88ec0be66a@mail.gmail.com> <1130441554.19753.34.camel@mistral> <7522130a0510272231l2098fb3dy446edd0b1d4caea6@mail.gmail.com> <1130509896.23198.9.camel@mistral> <7522130a0510290428k5e8f05e6ie6b0a86778ba5ec9@mail.gmail.com> <43639733.5070907@amnh.org> <7522130a0510310545g69e0e01drf4de54f3f27a6522@mail.gmail.com>

On Mon, 2005-10-31 at 21:45 +0800, Feifei Jia wrote:
> On 10/29/05, Samuel Tran <stran@amnh.org> wrote:
> > Feifei Jia wrote:
> >
> > >On 10/28/05, Samuel Tran <stran@amnh.org> wrote:
> > >
> > >
> > >>On Fri, 2005-10-28 at 13:31 +0800, Feifei Jia wrote:
> > >>
> > >>
> > >>>On 10/28/05, Samuel Tran <stran@amnh.org> wrote:
> > >>>
> > >>>
> > >>>>On Thu, 2005-10-27 at 10:12 +0800, Feifei Jia wrote:
> > >>>>
> > >>>>
> > >>>>>On 10/26/05, Samuel Tran <stran@amnh.org> wrote:
> > >>>>>
> > >>>>>
> > >>>>>>On Wed, 2005-10-26 at 20:53 +0800, Feifei Jia wrote:
> > >>>>>>
> > >>>>>>
> > >>>>>>>Hi there,
> > >>>>>>>
> > >>>>>>>What I want to do is:
> > >>>>>>>
> > >>>>>>>Let the RDN under ou=Admin,dc=com have write permission to the RDN
> > >>>>>>>like uid=foo,ou=People,dc=com
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>
> > >>>>>>Do you want any entries in ou=Admin,dc=com to be able to write to any
> > >>>>>>entries in ou=People,dc=com?
> > >>>>>>
> > >>>>>>Sam
> > >>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>>
> > >>>>>Yes, that's exactly what I want to do. Could you tell me how to acheive this?
> > >>>>>
> > >>>>>
> > >>>>Try this:
> > >>>>
> > >>>>access to dn.subtree="ou=People,dc=com"
> > >>>>        by dn.one="ou=Admin,dc=com" write
> > >>>>
> > >>>>Sam
> > >>>>
> > >>>>
> > >>>>
> > >>>If I want to use regex to let DN like
> > >>>"uid=test,ou=Admin,dc=demo1,dc=com" can write to entries in
> > >>>"ou=People,dc=demo1,dc=com", and change "demo1" to "([^,]+)" , what
> > >>>should I do? It seems I cannot combine subtree with regex.
> > >>>
> > >>>
> > >>>
> > >>According to man slapd.access, this should work for you:
> > >>
> > >>access to dn.regex="^(.+,)?ou=People,dc=([^,]+),dc=com$"
> > >>        by dn.one,expand="ou=Admin,dc=$1,dc=com"
> > >>
> > >>Let me know if it is fine.
> > >>
> > >>Sam
> > >>
> > >>
> > >>
> > >>
> > >
> > >It seems not work, only get "Insufficient access (50)" error :(
> > >Maybe "dn,one" is not a good choice?
> > >
> > >
> > Sorry I forgot the access field. It should be:
> >
> > access to dn.regex="^(.+,)?ou=People,dc=([^,]+),dc=com$"
> >         by dn.one,expand="ou=Admin,dc=$1,dc=com" write
> >
> >
> > --
> > Sam
> >
> 
> Actually, I did add "write" in the "by" clause that day. And I run
> "slapd -d 128", it showed something like "access denied" :(
> 

Sorry I made a mistake; it should be $2 instead of $1 in the who clause:

access to dn.regex="^(.+,)?ou=People,dc=([^,]+),dc=com$"
        by dn.one,expand="ou=Admin,dc=$2,dc=com" write

Sam

References:
- ACL problem
  - From: Feifei Jia <shenmue71@gmail.com>
- Re: ACL problem
  - From: Samuel Tran <stran@amnh.org>
- Re: ACL problem
  - From: Feifei Jia <shenmue71@gmail.com>
- Re: ACL problem
  - From: Samuel Tran <stran@amnh.org>
- Re: ACL problem
  - From: Feifei Jia <shenmue71@gmail.com>
- Re: ACL problem
  - From: Samuel Tran <stran@amnh.org>
- Re: ACL problem
  - From: Feifei Jia <shenmue71@gmail.com>
- Re: ACL problem
  - From: Feifei Jia <shenmue71@gmail.com>

Prev by Date: FW: installation nighmare....
Next by Date: Slurpd vs. Syncrepl
Index(es):
- Chronological
- Thread