[Date Prev][Date Next] [Chronological] [Thread] [Top]

Variables/Substitution in ACL's

Hi all!

I've got a problem with ACL's.

I'm trying to grant access to a specific subtree to anybody who is in
the peoples-subtree of this specific subtree.
To do that, I need (or at least I think so, If anybody as a different
idea, please tell me) some regex pattern substitution.
I want to substitute "$1" in the "who" part of the ACL with what was
found for the regex ".*o=([^,]+)" in the "what" part of the ACL.

My ACL for that is:
access to dn=".*o=([^,]+),ou=customers,o=myorganisation"
        by dn=".*cn=([^,]+),ou=people,o=myorganisation" write
        by dn=".*cn=([^,]+),ou=people,o= $1
,ou=customers,o=myorganisation" read
        by anonymous read

Here is a part of the log:
=> access to entry
"object=soemobject,o=b-plastic,ou=Kunden,o=myorganisation", attr
"objectClass" requested
=> to all values by
<= a_dn_pat: .*cn=([^,]+),ou=people,o=myorganisation
<= a_dn_pat: .*cn=([^,]+),ou=people,o= $1 ,ou=customers,o=myorganisation
why is the "$1" not substituted?
<= a_dn_pat: anonymous
<= no more <who> clauses, returning =n (stop)
=> search access denied by =n

Is this the correct idea for implementing the ACL?
If not, how can I get the results I want?

Please Help.
Timo Boettcher