[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ACLs, groups, and regular expressions... oh my



> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Paul Wilson

> I've already tried that and it didn't work.  And as I added in a followup,
> this acl worked fine if I specify the domain.  The regular expression is
> just not being matched for some reason.
>
> Any other ideas?

Regexp matching is not the same as globbing/wildcard expansion, which seems
to be what you want. Your ACL pattern has no meaning. The parentheses "()"
can only be used to delineate patterns in the target specification, and are
only useful if you actually refer to those patterns using numeric
substitutions "$1" "$2" in the subject specs.

> > "Paul Wilson" <elviscious@rmci.net> writes:
> >
> >> I have been trying to formulate an acl that will allow read access to
> >> the ldap server, if they are a member of any of the groups.

That requires the server to perform a wildcard expansion on your pattern.
That is not a regexp pattern, and slapd won't process it.

> >> Here is the acl I came up with:
> >>
> >> access to *
> >>    by group="cn=(.*),dc=example,dc=com read
> >>    by anonymous bind
> >>    by * none
> >
> >> Now as I see it anybody that is a member of any group there should get
> >> read access to the box.  However, that of course, is not happening.

Of course.

You will have to explicitly list all of the groups that you want to give
access to. Alternately, you can create a nesting group, a group whose members
are all the other groups in the directory. Then you'll have to use the set
syntax:
	access to *
	  by set="[cn=metagroup,dc=example,dc=com]/member*" read

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support