[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL attr=children problem

Pierangelo Masarati wrote:
> On Wed, 2005-11-16 at 15:48 +0100, Jimmy Ott wrote:
>>>Did you read slapd.access(5)?  If you didn't, go and do it.  If you did,
>>>you might have misunderstood the meaning of the pseudo-attribute
>>i've read it a few times, but so i've misunderstood it, my english isn't
>>very good.
>>quote: "The statement attrs=<attrlist> selects the attributes the access
>>control rule applies to. It is a comma-separated list of attribute
>>types, plus the special names entry, indicating access to the entry
>>itself, and children, indicating access to the entry's children"
>>what are the entry's children? not child objects of an ou?
>>and what is the right approach for my problem?
> You should go a little below.  "children" grants access to child objects
> for the appropriate operations, i.e. to add a child or delete one.  They
> have nothing to do with accessing the child entry itself.  It's the
> "entry" pseudo-attribute that refer to the object itself (i.e., for a
> search, to the possibility to return the DN).
> If you look at the "OPERATION REQUIREMENTS" section, you'll see what
> access to what entities is required for each operation and each
> operation phase.  Since you're using an old (and patched by the packager
> and known to be buggy) version, this section may be incomplete or even
> not present, I don't recall.  In that case, I suggest you grab a more
> recent version (e.g. the one from OpenLDAP 2.2.29, or even from the 2.3
> branch, although in that case there might be small nd subtle
> differences).  You may even feel like upgrading :)
> p.
> Ing. Pierangelo Masarati
> Responsabile Open Solution
> SysNet s.n.c.
> Via Dossi, 8 - 27100 Pavia - ITALIA
> http://www.sys-net.it
> ------------------------------------------
> Office:   +39.02.23998309          
> Mobile:   +39.333.4963172
> Email:    pierangelo.masarati@sys-net.it
> ------------------------------------------

thank you, i'm now understanding the meaning of the pseudo-attribute
children. so if i'm correct, with this acl, the postmaster is now able
to create or delete an object in this ou.

i can't upgrade now, because this is stable system, so i have to try it
with this version at the moment.

.. but my problem, modifying entries in an ou, is not solved yet, so
what is the correct syntax for an ACL which does following?

grant access by postmaster to all entries in the ou where the postmaster
is placed in!

i should have something like this

access to dn.subtree.regex="^ou=(.+),ou=domains,suffix$"
          by dn.regex="^cn=postmaster,ou=$1,ou=domains,suffix$" write

but i know this is not possible. so i'm stuck, i need a new approach :(

cheers jimmy