[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd.conf access statement

søn, 2003-01-12 kl. 20:45 skrev Jason Parsons:

> This is close to what I was looking for, however the issue is that 
> there are thousands of OU's under the ou=accounts,dc=example,dc=net 
> subtree.  I was hoping that there was a way to wildcard, but still be 
> able to use dn.children.

Wild cards in the form of regular expressions work. The value extracted
from the expression can be transposed:

access to dn="cn=(.*),ou=people,ou=groups,dc=myorg,dc=com"
access to dn="cn=([^,]+),ou=people,ou=groups,dc=myorg,dc=com"

return valid though possibly different cns.

  by anonymous auth
  by dn="cn=$1,ou=people,ou=groups,dc=myorg,dc=com" write
  by dn=".*,ou=people,ou=groups,dc=myorg,dc=com" read
  by dn="cn=exim,ou=services,ou=groups,dc=myorg,dc=com" read
  by dn="cn=Admin,dc=myorg,dc=com" write
  by * none

It's been pointed out, that wildcards should be avoided where
performance is a "must."



> On Sunday, January 12, 2003, at 06:42 AM, Dieter Kluenter wrote:
> > access to cn=one,ou=blah.net,ou=accounts,dc=example,dc=net
> >        by dn.children= "cn=one,ou=blah.net,ou=accounts,
> >        dc=example,dc=net"  write
> >
> > could be a possibility, or a bit more sophisticated
> >
> > access to dn.subtree="cn=one,ou=blah.net,ou=accounts,dc=example,dc=net"
> >        by dn.children="cn=one,ou=blah.net,ou=accounts,
> >        dc=example,dc=net" read continue
> >        by dn.exact="uid=(.*),cn=one,ou=blah.net,ou=accounts,
> >        dc=example,dc=net" selfwrite continue
> >        by * none stop
> >
> > See man (5) slapd.access

Tony Earnshaw

When all's said and done ...
there's nothing left to say or do.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl