[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Rights to create a new entry

After a lot of tries, I manage to autorise a user to
create a subentry of it own entry with the following

access to dn.regex="[^,]+,(cn=[^,]+,ou=users,dc=ouba,dc=org)$" attrs="children"
by anonymous none
by users none

access to dn.regex="[^,]+,(cn=[^,]+,ou=users,dc=ouba,dc=org)$"
        by dn.exact,expand="$2" write
        by anonymous none
        by users none

The first one is to autorise only one level because the second
one give implicit write permission to the children attribute.

Then, in order to modify easily the entry with phpldapadmin, I
have to add this ACL :

access to dn.base="cn=SubSchema" attrs="objectClasses,attributeTypes,ldapSyntaxes"
by anonymous none
by users read

Now, I have a little problem, because in reality, when I look
for the log, it seems the $2 is not expanded correctly :

Dec  1 15:54:24 smtp slapd[26346]: <= check a_dn_pat: $2

I'm with an openldap 2.1.30, should I upgrade to 2.2.x
serie ? Because my distribution (Gentoo) doesn't have
ebuild for this version (only a test ebuild).
Perhaps my syntax is not correct, but into the 2.1.x man
pages slapd.access, the expand, regex, etc ... are not
described well.

Thanks ...


Mailing List wrote:

I would like to autorize my users to create new entry
below their own. I read a lot of thing into the faq,
I manage to get ACL give the right to write to an
entry below a specific entry, but impossible to give
the right to create a brand new entry. In the log file,
it claims about access to "cn=SubSchema".

Can someone say me what are the minimum rights to create
a new entry ?

Thanks in advance