[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL attr=children problem

Pierangelo Masarati wrote:
> On Wed, 2005-11-16 at 15:48 +0100, Jimmy Ott wrote:
>>>Did you read slapd.access(5)?  If you didn't, go and do it.  If you did,
>>>you might have misunderstood the meaning of the pseudo-attribute
>>i've read it a few times, but so i've misunderstood it, my english isn't
>>very good.
>>quote: "The statement attrs=<attrlist> selects the attributes the access
>>control rule applies to. It is a comma-separated list of attribute
>>types, plus the special names entry, indicating access to the entry
>>itself, and children, indicating access to the entry's children"
>>what are the entry's children? not child objects of an ou?
>>and what is the right approach for my problem?
> You should go a little below.  "children" grants access to child objects
> for the appropriate operations, i.e. to add a child or delete one.  They
> have nothing to do with accessing the child entry itself.  It's the
> "entry" pseudo-attribute that refer to the object itself (i.e., for a
> search, to the possibility to return the DN).
> If you look at the "OPERATION REQUIREMENTS" section, you'll see what
> access to what entities is required for each operation and each
> operation phase.  Since you're using an old (and patched by the packager
> and known to be buggy) version, this section may be incomplete or even
> not present, I don't recall.  In that case, I suggest you grab a more
> recent version (e.g. the one from OpenLDAP 2.2.29, or even from the 2.3
> branch, although in that case there might be small nd subtle
> differences).  You may even feel like upgrading :)
> p.
> Ing. Pierangelo Masarati
> Responsabile Open Solution
> SysNet s.n.c.
> Via Dossi, 8 - 27100 Pavia - ITALIA
> http://www.sys-net.it
> ------------------------------------------
> Office:   +39.02.23998309          
> Mobile:   +39.333.4963172
> Email:    pierangelo.masarati@sys-net.it
> ------------------------------------------


i was too stupid to think.
i solved it now with:

access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=intra,dc=onnet,dc=ch$"
  by dn.regex="^cn=postmaster,ou=$2,ou=domains,dc=intra,dc=onnet,dc=ch$"

yippiee! thanks for your help, you pointed me to the right approach!

cheers jimmy