[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL attr=children problem

To: Jimmy Ott <admin@onnet.ch>
Subject: Re: ACL attr=children problem
From: Pierangelo Masarati <ando@sys-net.it>
Date: Wed, 16 Nov 2005 17:54:34 +0100
Cc: OpenLDAP-software@OpenLDAP.org
In-reply-to: <437B5D98.8080001@onnet.ch>
References: <437B262A.3010103@onnet.ch> <1132152233.3352.7.camel@ando> <437B46AE.5010205@onnet.ch> <1132157262.3352.16.camel@ando> <437B5D98.8080001@onnet.ch>

On Wed, 2005-11-16 at 17:26 +0100, Jimmy Ott wrote:

> thank you, i'm now understanding the meaning of the pseudo-attribute
> children. so if i'm correct, with this acl, the postmaster is now able
> to create or delete an object in this ou.

To make it short, to be able to create an object below a certain parent
object, an identity simultaneously needs write privileges on "children"
of the parent object and on "entry" of the yet-not-existing object.

> i can't upgrade now, because this is stable system, so i have to try it
> with this version at the moment.
> 
> .. but my problem, modifying entries in an ou, is not solved yet, so
> what is the correct syntax for an ACL which does following?
> 
> grant access by postmaster to all entries in the ou where the postmaster
> is placed in!
> 
> i should have something like this
> 
> access to dn.subtree.regex="^ou=(.+),ou=domains,suffix$"
>           by dn.regex="^cn=postmaster,ou=$1,ou=domains,suffix$" write
> 
> but i know this is not possible. so i'm stuck, i need a new approach :(

Yes it is:

access to dn.regex="^(.+,)?ou=([^,]+),ou=domains,dc=example,dc=com$"
	by dn.exact,expand="cn=postmaster,ou=$2,ou=domains,dc=example,dc=com" write

In the <what>:
  - the "^(.+)?" means that if anything is present on the left of "ou="
it must end with a comma
  - the "ou=([^,]+)" means that the value of "ou" must be non-null and
must not contain any comma "," (note that if your value __does__ contain
commas, all pattern matching will occur with respect to the normalized
DN, so they will be in the "\<hexpair>" form)

In the <who>:
  - the "exact,expand" indicates that an exact match on the DN resulting
from a substring expansion will be used.
  - in the <who> no regex evaluation occurs ("exact" match) so you don't
need special regex chars to indicate up to beginning or end of value
(actually, if you do it's an error).

p.





Ing. Pierangelo Masarati
Responsabile Open Solution

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------

References:
- ACL attr=children problem
  - From: Jimmy Ott <admin@onnet.ch>
- Re: ACL attr=children problem
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: ACL attr=children problem
  - From: Jimmy Ott <admin@onnet.ch>
- Re: ACL attr=children problem
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: ACL attr=children problem
  - From: Jimmy Ott <admin@onnet.ch>

Prev by Date: modrdn err=71 question
Next by Date: Re: ACL attr=children problem
Index(es):
- Chronological
- Thread