[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: group.regex

Ace Suares wrote:
Hash: SHA1

You;ll find the answer here:


and here:


Thanks Ace. That definitely answered my question. Still, at first I wasn't able to get it to work. Once I got logging enabled properly(with the correct log level) I was able to figure out what was going on. In my example:

	access to dn="cn=(.+),dc=example,dc=com"
	by group.regex="cn=$1,cn=test,dc=example,dc=com" write

This didn't work, because what happens is that write access is asked for and the full dn of the new entry is passed in the request. So if I want write access to "cn=penguin,dc=example,dc=com" and want to create an entry "cn=nothing,cn=penguin,dc=example,dc=com", the match from the above regex($1) would be "nothinig,cn=penguin". Then, the group "cn=nothinig,cn=penguin,cn=test,dc=example,dc=com" is searched for, and not found. The group should be "cn=penguin,cn=test,dc=example,dc=com". This ended up working:

 	access to dn=".*cn=(.+),dc=example,dc=com"
	by group.regex="cn=$1,cn=test,dc=example,dc=com" write

A note about my second question. In your messages you link to above, you mention that you plan to write documentation on access control. I guess that would be because there isn't any good documentation in existence. Have you had a chance to do so? If so, I would love to see what you have.


Matt M.

Hi all,

I am just beginning to learn the syntax for access control with slapd.
My question pertains to group regex's. The administrators manual and the
slapd.access man page leave me a little confused.

Quote from the slapd.access man page:
The statement dn=<pattern> means that access is granted to the matching
DN.  The optional style qualifier dnstyle allows the  same  choices  of
the  dn	form of the <what> field.  In addition, the regex form of
pattern can exploit substring substitution of  submatches  in  the
<what> dn.regex  clause  by using the form $<digit>, with digit ranging
from 1 to 9.

Do the submatches work for groups also. For instance, take the following:

access to dn="cn=(.+),dc=example,dc=com"
by group.regex="cn=$1,cn=test,dc=example,dc=com" write
by * read

access to * by * read

If they do indeed work for group.regex, then I would expect that access
to an entry "cn=penguin,dc=example,dc=com" would be writable by the
group "cn=penguin,cn=test,dc=example,dc=com" right?

I tried this and it didn't work. I get insuficient rights errors when
attempting to add an entry. Any help understanding this is appreciated.
I'm running openldap-2.1.21 on Linux(Fedora Core 1).

Also, does anyone know of a good book that covers access control in
detail, or maybe links to some good tutorials or articles.


Matt M.

- -- Ace Suares' Internet Consultancy
NIEUW ADRES: Postbus 2599, 4800 CN Breda
telefoon: 06-244 33 608
fax en voicemail: 0848-707 705
website: http://www.suares.nl * http://www.qwikzite.nl
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)