Re: Regexp in rootdn and set-resolving of monitor attr

[Christian Manal <moenoel@informatik.uni-bremen.de>]

Am 01.04.2011 13:25, schrieb Kilian Röhner:
>>> 1. Is it possible to specify a regexp as rootdn?
>>
>> No, but if you use SASL (e.g. ldapsearch -H ldapi:// -QY EXTERNAL) or
>> proxy auth, then you can use authz-regexp to rewrite multiple DNs to
>> a single one which you then can use as rootDN.
> 
> ok, that is, what i am alrealy doing. Currently, i bind every admin to
> cn=ldapadmin,XYZ but i would like to bind them to
> cn=<user>,cn=ldapadmin,XYZ so that i can see in the creatorsName and
> modifiersName of the Nodes who did what.
> 
> Would be nice for the future to have this (if this is the right place to
> say it).

Why don't you use ACLs to give admins the permissions they need? There's
no need to abuse the rootdn for that.


>>> 2. In an access-rule, i have a set like:
>>> by set="(user + ([cn=Current,cn=Time,cn=Monitor]/monitorTimestamp)) &
>>> (this/modifiersName + this/createTimestamp)" write
>>
>> You want to let bound users write to entries they created this second?
>> Cool, but fragile since the creation might happen at the end of the
>> second, and the next write op next second.
> 
> Yes, that is what i'm trying to do. In fact, i want some users to only
> allow the creation of Nodes but not the modification or deletion. The
> Problem is of course, that openldap has only "read" and "write" rules,
> while the last one usually implies that one can add, modify and delete.

Take a look at slapd.access(5). There is an "add" privilege.


> Anyone has an idea why the Monitor thing is not working?
> 
>>
>>> But it seems, that the Monitor-Part isn't resolved correctly (returns
>>> empty and thus empty for the whole set).
>>
> 


Regards,
Christian Manal