[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: dnattr access rule

To: Openldap list <openldap-software@OpenLDAP.org>
Subject: Re: dnattr access rule
From: Tony Earnshaw <tonye@billy.demon.nl>
Date: Mon, 16 Aug 2004 11:17:02 +0200
In-reply-to: <411FDF34.9060605@elegiac.net>
Organization: Billy
References: <411FDF34.9060605@elegiac.net>

man, 16.08.2004 kl. 00.09 skrev dju`:

> I need to grant access to an entry (and its children) to another entry 
> of my ldap that is listed in a specific attribute.
> 
> I have:
> 
> cn=foo,ou=people,dc=domain,dc=tld
> 
> This entry has a seeAlso attribute, which contains the DN of a user able 
> to modify it.
> 
> seeAlso: uid=bar,ou=users,dc=domain,dc=tld
> 
> I want to make uid=bar,ou=users able to modify cn=foo,ou=people and able 
> to add children to it. The following access rule doesn't seem to be right:
> 
> access to dn="^.*cn=([^,]+),ou=people,dc=domain,dc=tld$"
> 	by dnattr=seeAlso write
> 	by *	none
> 
> Can you give me help for this please? Thanks for feedback.

You don't state your OL version; ACLs are sometimes different for
different versions. However, you could better make a groupOfNames or
groupOfUniqueNames and give that group write access. Works for me ;)

--Tonni

-- 
My other notebook, a Compaq 700EA, is what my cats jump off my knee and
go and sit on, when they've had enough.

mail: tonye@billy.demon.nl
http://www.billy.demon.nl

Follow-Ups:
- Re: dnattr access rule
  - From: dju` <dju.ml@elegiac.net>

References:
- dnattr access rule
  - From: dju` <dju.ml@elegiac.net>

Prev by Date: ACL group
Next by Date: Re: AI_ADDRCONFIG in libldap/os-ip.c on solaris9
Index(es):
- Chronological
- Thread