[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Regex access problem in slapd.conf

fre, 2003-01-03 kl. 19:54 skrev Paul Wilson:

> The real uids are in the form of an email address, ie.
> uid=memphis@someorg.org, blah blah blah.  The cn is a group, in the form
> of the domain, ie. cn=someorg.org, blah blah blah.  So my original regex
> was more along the lines of:
> access to * by dn=uid=([a-zA-Z0-9]*)@(.*),ou=Users,o=ORG,c=US

I may have missed something along the road, but for me "access to *"
would be wrong syntax. This has to be specific and hierarchichal just as
DNS is. You can't tell an Internet root server that it's responsible for
*, it has onlt to be responsible for top level name servers, the system
working downwards and outwards from that.

You give the root DN in slapd.conf and expand on that specifically in
the ACLs, defining exactly.

> dn=uid=([a-zA-Z0-9]*)@(.*),ou=Users,o=ORG,c=US

A Unix uid isn't an ldap mail attribute, unless you want to get into
trouble "down the line." A Unix uid is something you'd find in
/etc/passwd. You can make a cn a mail address, if you really want to.

access to dn="cn(.*),ou=Users,o=ORG,c=US"
  by dn="cn=([a-zA-Z0-9]*)@(.*),ou=Users,o=ORG,c=US" read

would presumably work. but so should:
  by dn="cn=$1,ou=Users,o=ORG,c=US" read

if everyone in ou=Users has a mail address. Therefore:
  access to dn.children="ou=Users,o=ORG,c=US" by read

should also work and save masses of processing power, according to
what's been said on this list.

I'm tired :)




Tony Earnshaw

When all's said and done ...
there's nothing left to say or do.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl