[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL questions
Mailing List wrote:
Hello,
I would like to do exactly what describe the following faq entry :
http://www.openldap.org/faq/data/cache/653.html
i.e. allow a user to write below his own entry.
but when I start slapd, it claimed that dn.expand is not admitted
here or something like that ...
It depends on what verion of the software you're using, but in any case
I wouldn't use any that doesn't accept that style modifier, and I'd
definitely upgrade to the latest stable.
access to dn.regex="^.*,(uid=.*,o=Company)$$"
by dn.expand="$1" write
by anonymous auth
First, does this acl work for someone ?
If not, do you have a work around ?
That's blatantly wrong for many reasons, I suggest you fix the FAQ after
seeing if it works as intended.
1) a regex pattern starting with "^.*" is a nonsense, because ".*" can
match anything so it will surely match from the beginning.
2) a (n impossible) string ",uid=..." would match as well, although it's
not a valid DN, and the suggested, while a DN "uid=..." would not match
because it has no leading comma ",".
3) a pattern "uid=.*," means that any value, from "" to
"foo,ou=disabled" would match, giving disabled users write access to
their entry and children. Use "uid=[^,]+" if this is what you mean.
4) the trailing "$$" is meanigless; use only one to force a match to the
end of the string.
5) "dn.expand" means nothing; it has to be "dn.<style>,expand"; in this
case, I assume you mean a style of "exact".
There could be more inconsistencies I'm not noticing at the moment.
So, that ACL should look like
access to dn.regex="(.+,)?(uid=[^,]+,o=Company)$"
by dn.exact,expand="$2" write
by anonymous auth
If the version you're using is so old that it doesn't support the
"expand" style modifier, you can use
access to dn.regex="(.+,)?(uid=[^,]+,o=Company)$"
by dn.regex="$2" write
by anonymous auth
p.
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497