[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: LDAP Access Control

Hi, I've been trying to follow this discussion, mainly because I need to
know and use this.  Can anyone tell me what is wrong with this statement:

access to dn="uid=([^,]+),ou=MktgProspects,dc=test,dc=com"
        by dn="uid=ldapadm.+\+realm=TEST.COM"                   write
        by dn="uid=webadm.+\+realm=TEST.COM"                    write
        by *                                                    read

Ldapadm is the root user.  The object is to give webadm access to add/manage
entries, but only for that specific portion of the directory
(ou=MktgProspects,dc=...).  I haven't been able to get this to work using an
ldapadd statement.  I've tried several different variations, no luck.

Thanks for any help  --  John

-----Original Message-----
From: Tony Earnshaw [mailto:tonni@billy.demon.nl]
Sent: Thursday, September 19, 2002 12:19 PM
To: Frank Swasey
Cc: Daniel Tiefnig; openldap-software@OpenLDAP.org
Subject: Re: LDAP Access Control
Importance: High

tor, 2002-09-19 kl. 17:21 skrev Frank Swasey:

> > I don't understand the following regex, by the way, after having read
> > the necessary: It doesn't make sense to me, but it obviously works:
> > [^,]+
> > To me it says: "Everything of one character or more, but not including a
> > comma." As I said, it works (so does [^,]*), while .+ or .* doesn't.
> > What's the difference?

> Well, the difference is that "but not including a comma" part.  Without
> preventing the comma from being included, your regex would match
> something like
> cn=Jo Bob,cn=Jim Bob,ou=people ... (can't remember what I snipped)
> Also, the * instead of + would allow
> cn=,ou=people ...

Thanks for the trouble, but clear as mud, Frank.

If you'd be so kind as to look at the quotes that I ... hrrrm ...
quoted, you'll see that there are *no commas* in the bit that has the
no-comma regex, whereas there are commas in the one without the no-comma
regex, although the commas in the latter get ignored.

I'm coming more and more to the conclusion that only the code writers
here (mainly Kurt and Howard) know what they're talking about when it
comes to regex. The rest say they do, but with them it's rather like
with your local priest or mullah promising you eternal life if you do
what he says.

For real regex writers one needs the Exim list, but I hardly dare ask




Tony Earnshaw

Tha can allway tell a Yorkshireman, but tha canna tell 'im much.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl
gpg public key:	http://www.billy.demon.nl/tonni.armor

Telefoon:	(+31) (0)172 530428
Mobiel:		(+31) (0)6 51153356

GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981