[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL Madness cured

To: ldap list <openldap-software@OpenLDAP.org>
Subject: ACL Madness cured
From: Tom Possin <tpossin@ywammt.org>
Date: 23 Feb 2003 15:18:27 -0700

For those that helped me earlier I thought I would post the ACL that
finally does what I wanted. Thanks to all who responded.

To recap, I wanted a bound user to be able to create, destroy and
maintain any child record. But I did not want anyone else except the
root to be able to see them etc.( private address lists for users )

Here is the winner:
access to dn="(.*),(uid=.*,ou=users,ou=People,dc=home,dc=com)"
	by anonymous auth
	by dn="$2" write

Here is the answer in the FAQ-O-MATIC:
access to dn=".*,(uid=.*,o=Company)"
        by dn="$1" write
        by anonymous auth

In order to make this work the parentheses around the first wild card
needed to be added. The anonymous auth needed to be raised one level to
exclude anonymous viewing and the $1 needed to be changed to $2.

I included this post so others would not have to go through what I did
to get this to work. The FAQ is wrong as near as I can tell. Or maybe it
was trying to do something else, I don't know anymore but this seems to
work well.

FWIW - I hope it helps,
-- 
Tom
***********************************************
A computer once beat me at chess...
But, as it turns out, it was no match for me at kick boxing.

Prev by Date: Re: [LDAP-SOFTWARE] ACLand regex (matching self)
Next by Date: Re: graphs in LDAP
Index(es):
- Chronological
- Thread