[Date Prev][Date Next] [Chronological] [Thread] [Top]

acl, who-statement .... members of all groups are alowed ... who can help me?

To: ldap_list <openldap-software@OpenLDAP.org>
Subject: acl, who-statement .... members of all groups are alowed ... who can help me?
From: Felix Meulenkamp <kdt-meulenkamp@kdt.de>
Date: Thu, 22 Mar 2001 15:52:01 +0100

Hi Folks

I trying to figure out some access-rules for a webinterface of a
LDAP-aware mailserver...
I'm storing the option for dropdown-lists in a seperate part of the
tree.

c=de
 \o=XXX
      \ou=some departments
      |   \ou=other deeper departments
      |ou=...
      |cn=data
        \cn=domains (values)
         |cn=citys
         |cn=some other options...

Admins have write-access to all subtrees they are member from... from
the point of membership.
I've done this with:

access to
dn="([^,]*,)?((ou=([^,]+),)?)((ou=([^,]+),)?)((ou=([^,]+),)?)((ou=([^,]+),)?)o=XXX,c=de"
    by group="$1$3$5o=XXX,c=de" write
    by group="$3$5o=XXX,c=de" write
    by group="$5o=XXX,c=de" write
    by group="o=XXX,c=de" write
    by * read

My problem is, my superadmins (group: "o=XXX,c=de") should have
write-access to whole "cn=data" subtree, all members of another
admingroup should only have read-access to all entries with attribute
"slist=yes" and write to all other lists in this tree...

i've tried:

access to dn=".*cn=data,o=XXX,c=de"
    by group="o=XXX,c=de" write
    by group="(ou=([^,])+,)+o=XXX,c=de" write continue
    by * read

access to filter="(&(objectclass=list)(slist=yes))"
    by * read

...but in a group-statement only variables will be substituted, but no
wildcard-substitution will be done.

Any suggestions....????




Felix Meulenkamp

Prev by Date: free text search without specifying attribute
Next by Date: Re: Radius
Index(es):
- Chronological
- Thread