[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL rule problem




On Feb 12, 2005, at 20:45, Jens Vagelpohl wrote:
The ACL:

--------------------------
access to dn.regex="^(.+,)?ou=([^,]+),ou=mail,dc=mycompany,dc=com$"
by group/groupOfUniqueNames/ uniqueMember.regex="^ou=$2,ou=mail,dc=mycompany,dc=com$$" write
by * none
--------------------------



The outcome:

----------------
=> access_allowed: search access to "ou=mycompany.com,ou=mail,dc=mycompany,dc=com" "objectClass" requested
=> acl_get: [1] check attr objectClass
=> dnpat: [2] ^(.+,)?ou=([^,]+),ou=mail,dc=mycompany,dc=com$ nsub: 2
=> acl_get: [2] matched
=> acl_get: [2] check attr objectClass
<= acl_get: [2] acl ou=mycompany.com,ou=mail,dc=mycompany,dc=com attr: objectClass
=> acl_mask: access to entry "ou=mycompany.com,ou=mail,dc=mycompany,dc=com", attr "objectClass" requested
=> acl_mask: to value by "cn=jens@mycompany.com,ou=mycompany.com,ou=mail,dc=mycompany,dc=com", (=n)
-----------------

As usual, a small change made it work a few minutes after posting. The working ACL looks like this, and the change simply involves removing the "$" at the end and the "^" at the front, and adding the "expand" qualifier to the "who" rule:


-------------------
access to dn.regex="^(.+,)?ou=([^,]+),ou=mail,dc=mycompany,dc=com$"
by group/groupOfUniqueNames/ uniqueMember.regex,expand="ou=$2,ou=mail,dc=mycompany,dc=com" write
-------------------


jens