[Date Prev][Date Next] [Chronological] [Thread] [Top]


Hi all,

I am just beginning to learn the syntax for access control with slapd. My question pertains to group regex's. The administrators manual and the slapd.access man page leave me a little confused.

Quote from the slapd.access man page:
The statement dn=<pattern> means that access is granted to the matching DN. The optional style qualifier dnstyle allows the same choices of the dn form of the <what> field. In addition, the regex form of pattern can exploit substring substitution of submatches in the <what> dn.regex clause by using the form $<digit>, with digit ranging from 1 to 9.

Do the submatches work for groups also. For instance, take the following:

access to dn="cn=(.+),dc=example,dc=com"
by group.regex="cn=$1,cn=test,dc=example,dc=com" write
by * read

access to * by * read

If they do indeed work for group.regex, then I would expect that access to an entry "cn=penguin,dc=example,dc=com" would be writable by the group "cn=penguin,cn=test,dc=example,dc=com" right?

I tried this and it didn't work. I get insuficient rights errors when attempting to add an entry. Any help understanding this is appreciated. I'm running openldap-2.1.21 on Linux(Fedora Core 1).

Also, does anyone know of a good book that covers access control in detail, or maybe links to some good tutorials or articles.


Matt M.