[Date Prev][Date Next]
Re: ACLs on OUs and their children/leaves
--On Monday, February 21, 2005 9:43 PM +0100 Markus Wernig
-----BEGIN PGP SIGNED MESSAGE-----
Pierangelo Masarati wrote:
|> access to dn.sub="ou=users,dc=domain,dc=tld"
|> ~ by dnattr="ou" write
| This is wrong because, as the name says, you need to set "dnattr" to an
| attribute that is DN-valued (or nameAndOptionalUID-valued, like
| uniqueMember). The solution to your problem is:
| access to dn.regex="(.+,)?(ou=[^,]+,ou=users,dc=domain,dc=tld)$"
| by dn.exact,expand="$2" write
| i.e. grab the terminal portion of the DN and use it to compare with the
| identity of the operation.
Thank you very much - this solved my problem.
I'm a bit puzzled, though ... I didn't find any reference to the
backreferencing capabilities of slapd's regex (expand=$2) in the manuals
that I read. Does anybody know where to find the appropriate
documentation (besides in the code)?
man slapd.access (5)
There is even an example of using expand provided (at least in OL 2.2.23).
Principal Software Developer
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
"These censorship operations against schools and libraries are stronger
than ever in the present religio-political climate. They often focus on
fantasy and sf books, which foster that deadly enemy to bigotry and blind
faith, the imagination." -- Ursula K. Le Guin