[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap ACLS with regex

On Tuesday, 15 May 2007, Jeronimo Zucco wrote:
> Now it is working, with the following ACL:
> access to
>         dn.regex="^cn=(.*),ou=([^,]+),ou=PersonalAddressBook,suffix$"
>         by dn.regex="uid=$2,.*,ou=People,dc=suffix$" write

If this one works, it conflicts the the example user DNs you supplied (where 
you had a cn value in the user's addressbook container matching the uid 
naming attribute in their DN).

And, even if it does work, it is, as I noted on IRC, horribly insecure. Your 
users can not expect *any* privacy with this regex.

If you can't sanitise the DNs in your examples without confusing the issue, 
maybe you should post the real DNs, so that people help you with the problem 
you have, not the one you think you have ...


Buchan Milne
ISP Systems Specialist - Monitoring/Authentication Team Leader

Attachment: pgptICUXqaeob.pgp
Description: PGP signature