[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL's and madness

tor, 2003-02-20 kl. 09:34 skrev Mitrana Cristian:

> bonehead mistake that I am blind to.
> > 
> > #authenticated users can create and modify private child entries(theory)
> > access to dn=".*,uid=.*,ou=users,ou=People,dc=home,dc=com"
> > 	by dn="$1" write
> > 	by anonymous auth
> I don't have an environment to test it, but you can try something of :
> access to dn.subtree="uid=([^,]+),ou=users,ou=People,dc=home,dc=com"
> 	by dn="$1,ou=users,ou=People,dc=home,dc=com write
> 	by * none
> (could be "children" instead of "subtree" but I don't even have
> and entry in the man section for slapd.acces).
> I'll try something that really workds when I get the chance to
> fire up slapd :) and  get back to you.

That's why people will believe I'm mad.

With 2.1.8, 2.1.10 and 2.1.12, if I try:

access to dn.subtree="cn=([^,]+),dc=myorg,dc=us"
        by cn=$1,dc=myorg,dc=us"
        by anonymous read
        by anonymous auth
I get:

"/usr/local/ldaptest/etc/openldap/slapd.conf: line 55: bad DN

O.k., so I don't have uid as RDN, I have cn. But what the thingy?

Without the subtree and children styles, it works, but only partly. Then
I have to expressly put "attr=sub", "attr=children", etc. beneath the
"access to" statement. Repeat: "Even then it doesn't work properly."

Variations on it give various other no-no faults.

I have my *own* way of doing it, which works perfectly ("For Me (tm)"),
but Howard has already bitten off my ear for airing it on this list
(Sept last year), so I don't dare to, any more.

Recapping, I *do* give people in a group access to modify what is under
them in their own subtree and other RDNs various right to access those
objects (read, write etc. etc.). But, I do it my own way and don't dare
to state how on this list.




Tony Earnshaw

When you rob a person of his illusions,
you are robbing him of his happiness

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl