[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: slapd.conf access statement
søn, 2003-01-12 kl. 20:45 skrev Jason Parsons:
> This is close to what I was looking for, however the issue is that
> there are thousands of OU's under the ou=accounts,dc=example,dc=net
> subtree. I was hoping that there was a way to wildcard, but still be
> able to use dn.children.
Wild cards in the form of regular expressions work. The value extracted
from the expression can be transposed:
access to dn="cn=(.*),ou=people,ou=groups,dc=myorg,dc=com"
and
access to dn="cn=([^,]+),ou=people,ou=groups,dc=myorg,dc=com"
return valid though possibly different cns.
attr=children
by anonymous auth
by dn="cn=$1,ou=people,ou=groups,dc=myorg,dc=com" write
by dn=".*,ou=people,ou=groups,dc=myorg,dc=com" read
by dn="cn=exim,ou=services,ou=groups,dc=myorg,dc=com" read
by dn="cn=Admin,dc=myorg,dc=com" write
by * none
It's been pointed out, that wildcards should be avoided where
performance is a "must."
Best,
Tony
--
> On Sunday, January 12, 2003, at 06:42 AM, Dieter Kluenter wrote:
>
> > access to cn=one,ou=blah.net,ou=accounts,dc=example,dc=net
> > by dn.children= "cn=one,ou=blah.net,ou=accounts,
> > dc=example,dc=net" write
> >
> > could be a possibility, or a bit more sophisticated
> >
> > access to dn.subtree="cn=one,ou=blah.net,ou=accounts,dc=example,dc=net"
> > by dn.children="cn=one,ou=blah.net,ou=accounts,
> > dc=example,dc=net" read continue
> > by dn.exact="uid=(.*),cn=one,ou=blah.net,ou=accounts,
> > dc=example,dc=net" selfwrite continue
> > by * none stop
> >
> > See man (5) slapd.access
--
Tony Earnshaw
When all's said and done ...
there's nothing left to say or do.
e-post: tonni@billy.demon.nl
www: http://www.billy.demon.nl