[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs, groups, and regular expressions... oh my

To: Dieter Kluenter <dieter@dkluenter.de>
Subject: Re: ACLs, groups, and regular expressions... oh my
From: Tony Earnshaw <tonni@billy.demon.nl>
Date: 10 Mar 2003 10:24:07 +0100
Cc: openldap-software@OpenLDAP.org
In-reply-to: <m3zno3y7p1.fsf@marin.l4b.de>
Organization:
References: <42536.65.37.119.202.1047261749.squirrel@webmail.rmci.net> <m3zno3y7p1.fsf@marin.l4b.de>

man, 2003-03-10 kl. 08:58 skrev Dieter Kluenter:

> > I have been trying to formulate an acl that will allow read access to the
> > ldap server, if they are a member of any of the groups.
> >
> > Here is the acl I came up with:
> >
> > access to *
> >    by group="cn=(.*),dc=example,dc=com read
> >    by anonymous bind
> >    by * none
> 
> > Now as I see it anybody that is a member of any group there should get
> > read access to the box.  However, that of course, is not happening.
> 
> No, you don't have a group entry. Better use the dn.subtree
> statement. See man (5) slapd.access

Just as a matter of interest, so-called dnstyles don't work on my 2.1.x
servers when I use regexes - as above. E.g. 'dn.children' doesn't work
with regexes (does without), though things like 'attr=children' *do*
work.

Anyone else with the same experience?

Best,

Tony

-- 

Tony Earnshaw

All the world is mad, exceptin thee and me
and even thee's a little queer

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl

Follow-Ups:
- RE: ACLs, groups, and regular expressions... oh my
  - From: "Howard Chu" <hyc@highlandsun.com>

References:
- ACLs, groups, and regular expressions... oh my
  - From: "Paul Wilson" <elviscious@rmci.net>
- Re: ACLs, groups, and regular expressions... oh my
  - From: Dieter Kluenter <dieter@dkluenter.de>

Prev by Date: SASL / External, slapd won't start since I have a new dn in my certs
Next by Date: md5 passwords from /etc/passwd
Index(es):
- Chronological
- Thread