[Date Prev][Date Next]
Re: regex in group ACL
Ok, now I can explain my whole access control problem :
In my directory (OpenLDAP of course), under each user, I store objects
representing an account in a given application. This account contains a
login and a password and is used to open a session in the application. I
wrote the access control rules which give each user special rights on
its objects (the ones under its own entry).
But know I want sometimes (understand : at run time, so no rule in
configuration file) to give somebody else access right on an account
object under a given user.
I did not designed the data model, and did not write the whole software
(which is originally wrote to work with Active Directory), and currently
when such an operation is made, an object of class delegation is created
under the account object, and this object contains the DN of the user to
which the right is given.
So under an object of class account, there is one object of class
delegation for each user who can use the account.
Now, I want to write generic rules in slapd.conf that gives the concrete
access rights on the account to the users referenced in the delegation
objects under it, so the access rights are automatic when a delegation
operation is done
My first idea was to consider the delegation objects as groups, and use
such an access rule, which I found very simple and clear for such a
complex behavior :
access to filter="objectClass=account" dn="(.*)"
by group/delegation/delegatedUserDN.regex=".*,$1" read
(I use 'regex' or 'expand' depending on the version of OpenLDAP the
so every object of class delegation located under an account object
automatically give access on the account object to the user DN
referenced in its attribute delegatedUserDN.
But, too bad for me, one can't use wildcards in a group.regex expression.
What can I do to solve my problem ?
Thank you very much to every one who reached this point of my post :-)