[Date Prev][Date Next]
Re: ACI/ACL based on entry attribute values
There are flags to regexps that can make it choose a
"minimal" rather then greedy match, i haven't looked at gnu
regexp lib for a while but certainly perl lets you do this.
What you are suggesting is not exactly what i mean though. The
difference is in order. The substrings are taken from the target entry
data and matched against the user entry. I understand that this is tied into
how ACLs work (i.e. they first find all ACL entries that match the target
then try users against that). The reverse would do what i need.
I.e. - in your case (assuming a non-greedy match) you basically choose the
very last component of a tree (or in a greedy match the entire base dn).
case only one entry will match, either the one on the very top or the one
In a reverse mode we take entire user entry dn as a substring and match against
the target. We then get the match for all user entries above the target,
in any level
(not only the top or the direct parent).
This matching order would require a different ACL processing, that much is
Howard Chu wrote:
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Ugen
access to targetattrmatch dn=".*$1$"
by attrpick dn="(.*)" write
I just let anyone above any entry have write access to
This would be the equivalent
access to dn=".*,(.*$)"
by dn="$1" write
But neither my example nor yours would work in a practical environment since
regexp matches are greedy.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support