[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL's and madness

To: Ziya Suzen <ziya@ripe.net>
Subject: Re: ACL's and madness
From: Tom Possin <tpossin@ywammt.org>
Date: 20 Feb 2003 09:16:47 -0700
Cc: ldap list <openldap-software@OpenLDAP.org>
In-reply-to: <20030220153022.GA10001@cow.ripe.net>
References: <1045709232.1197.32.camel@localhost.localdomain> <20030220085333.GA29464@cow.ripe.net> <1045749622.2570.4.camel@localhost.localdomain> <20030220153022.GA10001@cow.ripe.net>

On Thu, 2003-02-20 at 08:30, Ziya Suzen wrote:

> parentheses are the key here. They create back-references meaning, $1
> is whats matched within the first parentheses. ($2 is second etc.)
Yes I thought about this, but in practice it does not work.
Without them it matches everyone, but with them nothing. It's
possible(likely) that I am making some small mistake in applying it to
my specific dn example it's just nothing I have tried has worked yet.
Also if that is what these parentheses are doing shouldn't that example
in the FAQ be: by dn="$2" write Then?(I think I tried this BTW) since
the $1 would be the dn of the child and not the parent that I want to
give write permission to? (Actually it seems that $1 in this case
matches darn near everything. That's really the problem any logged in
user can view and edit any entry below the level I specify on the first
line)
> 
> I'd recommend googling for a 'regex tutorial' for more information on
> regexes.
No offense in case you wrote one. But the regex "tutorials" I have seen
so far look like someone turned a chimp loose on the keyboard
desperately searching for the feeder button.<joke> I have concluded that
by the time a person has suffered enough abuse to gain proficiency in
regex his/her brain has been so hopelessly damaged that communication
with regular human beings is impossible</joke> However I suspect that I
will not escape this project without many more trips through regex hell.
(I'll be truly frightened when it all makes sense. Thanks ;)
> 
> Other problem might be the order of access directives. I.e. in your
> previous post if you were trying to insert an object with
> 'userPassword' attribute, it wouldn't be successful because it is only
> allowed to 'self' and 'cn=manager,...'. Although the second directive
> allows the user to write anything below its own node, after first
> directive being matched ACL evaluation stops.
Thank you I take it then I should but this directive below the one we
are working on? Although for my specific app I don't think it will
matter since I am trying to build personal address books here and not
trying to create managed user groups this way.

-- 
Tom
***********************************************
A computer once beat me at chess...
But, as it turns out, it was no match for me at kick boxing.

Follow-Ups:
- Re: ACL's and madness
  - From: Tony Earnshaw <tonni@billy.demon.nl>

References:
- ACL's and madness
  - From: Tom Possin <tpossin@ywammt.org>
- Re: ACL's and madness
  - From: Ziya Suzen <ziya@ripe.net>
- Re: ACL's and madness
  - From: Tom Possin <tpossin@ywammt.org>
- Re: ACL's and madness
  - From: Ziya Suzen <ziya@ripe.net>

Prev by Date: libldapcpp API sample code
Next by Date: Re: oot: the best DSA
Index(es):
- Chronological
- Thread