[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Re: Access Control by Organizational Unit?

Heather Lockridge writes:
> (quoting me:)
> The "[^,]*," says that the directive applies to entries directly below
> the ou.  It will not work if the OU contains entries with "," in their
> RDN.

Sorry, that was wrong.  Someday I'm going to stop confusing OpenLDAP
with a program where this is true:-(

> I realize that now I need the Directory Manager to be able to create
> OU's below the OU of which he is the Directory Manager and then also
> to create and change people's cn entries in that OU.

If you have an OU with a Directory Manager below another OU with a
Directory Manager, I don't know what to do.

If all your Directory Managers are below the outermost OUs, like the
ones below ou-one and ou-two, you can use

access to  dn.regex=".*,(ou=.*)" attr=userPassword
       by  self                               ssf=128 write
       by  dn.regex="cn=Directory Manager,$1" ssf=128 write
       by  *                                  ssf=128 auth

access to  dn.regex=".*,(ou=.*)"
       by  dn.regex="cn=Directory Manager,$1"  write
       by  *                                   read

access to  dn.regex="(ou=.*)" attr=children
       by  dn.regex="cn=Directory Manager,$1"  write
       by  *                                   read

Or if it's OK for a Directory Manager to have access to his parent OU,
you can replace the two last statements with

access to  dn.regex="(.*,)?(ou=.*)"
       by  dn.regex="cn=Directory Manager,$2"  write
       by  *                                   read