[Date Prev][Date Next]
RE: LDAP Access Control
Just an FYI: I didn't get any responses, but I fixed the problem. I tried
several ways, couldn't figure out what could possibly be wrong, and then I
thought "Hmm, I wonder if the default RH73 rpm's have acl support enabled by
default?" The answer is no. Oops. Working fine now.
I updated my acl to:
access to dn.children="ou=MktgProspects,dc=testco,dc=com"
by dn="uid=ldapadm.+\+realm=TESTCO.COM" write
by dn="uid=webadm,ou=SystemAccounts,o=Test Co,dc=testco,dc=com"
by * read
I have a question though: the syntax .+\+realm= does not seem to be working,
so I switched to the full dn. Is this something wrong with my Kerberos/LDAP
config? All tests seem to be fine.
Thanks again -- John
From: John Green [mailto:email@example.com]
Sent: Monday, September 23, 2002 10:24 AM
To: Openldap-Software (E-mail)
Subject: RE: LDAP Access Control
Hi, I've been trying to follow this discussion, mainly because I need to
know and use this. Can anyone tell me what is wrong with this statement:
access to dn="uid=([^,]+),ou=MktgProspects,dc=test,dc=com"
by dn="uid=ldapadm.+\+realm=TEST.COM" write
by dn="uid=webadm.+\+realm=TEST.COM" write
by * read
Ldapadm is the root user. The object is to give webadm access to add/manage
entries, but only for that specific portion of the directory
(ou=MktgProspects,dc=...). I haven't been able to get this to work using an
ldapadd statement. I've tried several different variations, no luck.
Thanks for any help -- John
From: Tony Earnshaw [mailto:firstname.lastname@example.org]
Sent: Thursday, September 19, 2002 12:19 PM
To: Frank Swasey
Cc: Daniel Tiefnig; openldap-software@OpenLDAP.org
Subject: Re: LDAP Access Control
tor, 2002-09-19 kl. 17:21 skrev Frank Swasey:
> > I don't understand the following regex, by the way, after having read
> > the necessary: It doesn't make sense to me, but it obviously works:
> > [^,]+
> > To me it says: "Everything of one character or more, but not including a
> > comma." As I said, it works (so does [^,]*), while .+ or .* doesn't.
> > What's the difference?
> Well, the difference is that "but not including a comma" part. Without
> preventing the comma from being included, your regex would match
> something like
> cn=Jo Bob,cn=Jim Bob,ou=people ... (can't remember what I snipped)
> Also, the * instead of + would allow
> cn=,ou=people ...
Thanks for the trouble, but clear as mud, Frank.
If you'd be so kind as to look at the quotes that I ... hrrrm ...
quoted, you'll see that there are *no commas* in the bit that has the
no-comma regex, whereas there are commas in the one without the no-comma
regex, although the commas in the latter get ignored.
I'm coming more and more to the conclusion that only the code writers
here (mainly Kurt and Howard) know what they're talking about when it
comes to regex. The rest say they do, but with them it's rather like
with your local priest or mullah promising you eternal life if you do
what he says.
For real regex writers one needs the Exim list, but I hardly dare ask
Tha can allway tell a Yorkshireman, but tha canna tell 'im much.
gpg public key: http://www.billy.demon.nl/tonni.armor
Telefoon: (+31) (0)172 530428
Mobiel: (+31) (0)6 51153356
GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981