[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs - match FDN to portion of attribute

Hi Andrew
I finally figured it out and here is what I did:

access to attrs=uofsGroupRole val.regex="^([^:]+):.+$"
  by dn.exact,expand="${v1}" read
  by * none

Only attribute that contains users' dn within its value is available to said user. It works exactly the way I want it. Only difference from documentation is "${v1}" which explained here: http://www.openldap.org/lists/openldap-bugs/200811/msg00078.html if you are interested...

Thank you for your response,

On 04/14/2010 12:35 PM, Andrew Findlay wrote:
On Tue, Apr 13, 2010 at 10:38:37AM -0600, Sergiy Stepanenko wrote:

an Entry has attribute uofsGroupRole that may contain values like :
uid=some_user, ou=nsids,ou=people,dc=usask,dc=ca:some_role

only user with matching uid may see this attribute and its value.

I tried :
access to attrs=uofsGroupRole
   by dn.regex="uid=$1,ou=nsids,ou=people,dc=usask,dc=ca$" read

And it did not work as required. I know the problem in regex, but I can not
find it.

The final dollar sign in the 'by' clause needs to be escaped with a
second dollar sign - like this example from the slapd.access manpage:

            access to dn.regex="^(.+,)?uid=([^,]+),dc=[^,]+,dc=com$"
                by dn.regex="^uid=$2,dc=[^,]+,dc=com$$" write

In your case, you could probably simplify the 'by' clause like this:

access to attrs=uofsGroupRole
   by dn.exact,expand="uid=$1,ou=nsids,ou=people,dc=usask,dc=ca" read

Make sure that you have a rule that will deny access to other users.


Sergiy Stepanenko
Systems Administrator
Information Technology Services
University of Saskatchewan
phone:    (306) 966-2762