[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: access control help
David Olivier some time wrote:
>> access to attr=userPassword
>> by self write
>> by anonymous auth
>> by dn="cn=Admin,dc=orderrace,dc=com" write
>> by * none
>> access to dn.regex=".*,cn=(.*),dc=orderrace,dc=com"
>> by dn.regex=".*,cn=$1,dc=orderrace,dc=com" write
>> by * none
i guess, your user will have a problem here reading it's own entry.
(when specifying '.*,cn=(.*)') try to leave the ',' away in the regex
and you should get access to the entry itself too, not only the subtree:
access to dn.regex=".*cn=(.*),dc=orderrace,dc=com"
by dn.regex="cn=$1,dc=orderrace,dc=com" write
by * none
this gives your 'cn=<something>,dc=orderrace,dc=com'-users write access
to "their" subtree. if you want to allow subtree entries also to write
the subtree, add a '.*' in front of the second dn.regex too.
not sure wether this works, but it looks logical to me..
daniel
Peter Lüders wrote:
hello,
thanks for your reply.but it dont works as it should: if i login e.g. with 'cn=user1,dc=orderrace,dc=com' i see no data, neither the own nor other subtrees. searches
return alsways 0 entries.i have openldap server version 2.0.7 installed. may this be the problem ?
for the first it would also help me if i had an explicit access-rule for every user in sldap.conf. how should the access rule e.g. for 'cn=user1,dc=orderrace,dc=com'
look like, so that this users has read/write access only to its subtree ?
best regards,
p.lüders
-- snip --
_________________________________________
Tiefnig Daniel
Server-Technology
INFONOVA IT GesmbH
Seering 6, A-8141 Unterpremstätten
AUSTRIA
E-Mail: mailto:daniel.tiefnig@infonova.at
Web: http://www.infonova.at