[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP Access Control

ons, 2002-09-18 kl. 02:54 skrev Ace Suares:

> access to dn="cn=(.*),cn=users,dc=example.com,dc=com" 
>        attrs=entry,children
>        by dn="cn=$1,cn=users,dc=example.com,dc=com" write
> gives write access to the entry and it's children to whomever 
> cn=(.*) happens to be. The $1 is a substitue for the first matched 
> parenthesis in the regular expression.
> I am not entirely sure if it works, just try it and see.
> Another, maybe more clear way would be:
> access to dn="cn=(.*),cn=users,dc=example.com,dc=com" 
> 	by dn="cn=$1,cn=users,dc=example.com,dc=com" write
> access to dn=".*,cn=(.*),cn=users,dc=example.com,dc=com" 
> 	by dn="cn=$1,cn=users,dc=example.com,dc=com" write

I discussed this with Billy and we decided to give it a try. We have the
time, you don't :-)

The below works beautifully for:


access to dn=".*,cn=(.*),ou=people,ou=groups,dc=billy,dc=demon,dc=nl"
        by anonymous auth
        by dn="cn=Admin,dc=billy,dc=demon,dc=nl" write
        by dn="cn=$1,ou=people,ou=groups,dc=billy,dc=demon,dc=nl" write


Without the "attrs" constraint, it works as well. Superfluous, in as
much as the whole dn for "cn=App1,cn=Torgeir*" belongs under Torgeir,
and no-one else but Torgeir (except Admin and Manager) can read it
anyway (with GQ one can see the - desired - hierarchy in tree form).

I gave App1 an objectClass of top,applicationProcess. Maybe someone else
has a better choice of objectClass for an application.

Great, Ace! Thanks for the "food for thought." Now back to fscking PHP4.




Tony Earnshaw

Tha can allway tell a Yorkshireman, but tha canna tell 'im much.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl
gpg public key:	http://www.billy.demon.nl/tonni.armor

Telefoon:	(+31) (0)172 530428
Mobiel:		(+31) (0)6 51153356

GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981

Attachment: signature.asc
Description: Dette er en digitalt signert meldingsdel