[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL (Regex) help needed

To: openldap-technical@openldap.org
Subject: ACL (Regex) help needed
From: Denny Schierz <linuxmail@4lin.net>
Date: Thu, 6 Sep 2012 13:35:56 +0200

hi,

I have the following structure:

cn=foobar,ou=aliases,dc=domain1,ou=mail,ou=services,ou=department,dc=domain,dc=foo
cn=foobar1,ou=aliases,dc=domain2,ou=mail,ou=services,ou=department,dc=domain,dc=foo
cn=foobar2,ou=aliases,dc=domain2,ou=mail,ou=services,ou=department,dc=domain,dc=foo

cn=foobar likes like:

dn: foobar,ou=aliases,dc=domain1,ou=mail,ou=services,ou=department,dc=domain,dc=foo
objectClass: inetLocalMailRecipient
objectClass: person
objectClass: top
cn: admin
sn: admin
description: added_by_dekanat
mailLocalAddress: sysop@department.domain.foo
mailRoutingAddress: foobar@department.domain.foo

At the moment I have one role "mail" that has access to:

dn.sub="ou=mail,ou=services,ou=department,dc=domain,dc=foo" read

it works as expected, the mailserver can read all entries. 

Now I want to create a role, who has permissions to delete/add/modify all entries below ou=aliases, from all domains (dc=domain,ou=mail...), but only, if "description: <string>" is found (for delete/modify only, but not for add).

Is that possible?

Otherwise, how does it look, if I throw the idea with "only if" ?

cu denny

Follow-Ups:
- Re: ACL (Regex) help needed
  - From: Dieter KlÃnter <dieter@dkluenter.de>

Prev by Date: Re: Slaving from Mirror Mode
Next by Date: LDAP Administration
Index(es):
- Chronological
- Thread