[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL attr=children problem


i have some problems when trying to set ACL for my Mail LDAP tree. Here
a bit of background information:

my sample tree in short form:

-> cn=admin,dc=my,dc=domains,dc=com
-> ou=domains,dc=my,dc=domain,dc=com
   -> ou=otherdomain,ou=domains,dc=my,dc=domain,dc=com
      -> cn=postmaster,ou=otherdomain,ou=domains,dc=my,dc=domain,dc=com
      -> cn=mailuser1,ou=otherdomain,ou=domains,dc=my,dc=domain,dc=com
      -> cn=mailuser2,ou=otherdomain,ou=domains,dc=my,dc=domain,dc=com

i want to give postmasters full access to their domain ou. in this
example write access by
cn=postmaster,ou=otherdomain,ou=domains,dc=my,dc=domain,dc=com to
subtree of ou=otherdomain,ou=domains,dc=my,dc=domain,dc=com.

i tested following static acl, so that i later can change and generalize
it with regexp:

access to dn="ou=otherdomain,ou=domains,dc=my,dc=domain,dc=com"
by dn="cn=postmaster,ou=otherdomain,ou=domains,dc=my,dc=domain,dc=com" write

changes to object cn=mailuser1 in same ou fails with "insufficient
access", so something went wrong with pseudo attr children.

i choosed this syntax because i want to generalize it later as follows,
if i'm correct:

access to dn.regex="^ou=(.+),ou=domains,suffix$"
by dn.regex="^cn=postmaster,ou=$1,ou=domains,suffix$" write

so i can't use dn.subtree function, because i use the regex
functionality. this static acl works great:

access to dn.subtree="ou=otherdomain,ou=domains,dc=my,dc=domain,dc=com"
by dn="cn=postmaster,ou=otherdomain,ou=domains,dc=my,dc=domain,dc=com" write

but what is the right way to do this? i'm searching for a general acl
which controls access for each domain listed in ou domains.

my system is a brand new debian sarge machine with openldap 2.2.23-8

many thanks for your help
cheers jimmy