[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Restricted/controlled simple bind

Tobias Franzén wrote:

> I started fiddling around with regexp ACLs after I wrote my mail (I
> thought of it just as I was finishing the mail), and so far I have been
> able to limit access to the userPassword (and as such, simple binds) to
> users in ou=People who have a userPassword like regexp "{SASL}.+@REALM".
> However, I have yet to find a way to expand a regexp from the dn
> containing the uid, into the attrs regexp. My ACL looks something like
> this:
> access to dn.regex="^uid=([^,]+),ou=People,dc=example,dc=com$"
>    attrs=userPassword val.regex="{SASL}.+@EXAMPLE.COM"
>        by self read
>        by anonymous auth
>        by * none
> I have tried to use val.exact="{SASL}$1@EXAMPLE.COM" but it doesn't
> appear to expand the $1 from teh first dn.regex as I would like. Any ideas?

Your wish does not find any correspondence in the documentation.  In
fact, there's no possibility to have such expansion, nor it makes much
sense, as there's no consequentiality implied in setting

	access to dn=pattern attr=desc val=value


	access to val=value attr=desc dn=pattern

would be exactly the same rule.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it