[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL problem posixgroup/groupofnames



>> So why doesn't the syntax provided by faq-o-matic for granting access
...
> problem you're experiencing. Can you elaborate on it?

I can't find an example of the correct syntax (written in english as opposed to BNF) to save my (or anyone else's)life. I believe Mandrake's Buchan Milne has also taken a crack at this as he was the one who originally set up the generic regex based ACL's.

http://www.openldap.org/faq/index.cgi?_highlightWords=group%20access&file=52

From the faq-o-matic, specificly:

> The above examples assume that the group members are to be found
> in the "member" attribute type of the "groupOfNames" object class.
> If you need to use a different group object and/or a different
> attribute type then use the following slapd.conf syntax:
>
>
> access to <what>
>         by group/<objectclass>/<attributename>=<dn-regex> <access>

...and yet this does not work:

> access to dn.regex="([^,]+,)?ou=People,(dc=[^,]+(,dc=[^,]+)*)$"
> attrs=inetOrgPerson,mail
> by self write
> by dn.exact,expand="uid=Administrator,ou=People,$2" write
> by group/posixgroup/memberUid="cn=Domain Controllers,ou=Group,$2" write
> by group="cn=Replicator,ou=Group,$2" write
> by users read
> by anonymous read


I really hate the idea of data redunancy when that is specifically what databases are supposed to avoid and of course the entry below does work but you have to keep duplicate groups in the "Access Groups" OU:

> access to dn.regex="([^,]+,)?ou=People,(dc=[^,]+(,dc=[^,]+)*)$"
>         attrs=inetOrgPerson,mail
>         by self write
>         by dn.exact,expand="uid=Administrator,ou=People,$2" write
>         by group="cn=Domain Controllers,ou=Group,$2" write
>         by group="cn=Domain Controllers,ou=Access Groups,$2" write
>         by group="cn=Replicator,ou=Group,$2" write
>         by users read
>         by anonymous read

The error for the problem entry is:

[root@enigma 0 openldap]$ slapd -t
/etc/openldap/slapd.access.conf: line 26: group "cn=Domain Controllers,ou=Group,$2": inappropriate syntax: 1.3.6.1.4.1.1466.115.121.1.26
...


Where can I find an english representation of the syntax for such a reference which I assume is an OID or something?

Jim C.
--
-----------------------------------------------------------------
| I can be reached on the following Instant Messenger services: |
|---------------------------------------------------------------|
| MSN: j_c_llings@hotmail.com  AIM: WyteLi0n  ICQ: 123291844 	|
|---------------------------------------------------------------|
| Y!: j_c_llings               Jabber: jcllings@njs.netlab.cz	|
-----------------------------------------------------------------