[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL Question

To: openldap-technical@openldap.org
Subject: ACL Question
From: Diego Lima <lists@diegolima.org>
Date: Wed, 29 Sep 2010 21:04:24 -0300

Hello all,

I have the following structure on my LDAP server:

ou=Misc,dc=diegolima,dc=org
ou=Users,dc=diegolima,dc=org

Under users I have some user accounts, such as
cn=user1,ou=Users,dc=diegolima,dc=org. I'd like to allow users to
create an OU under ou=Misc as long as the OU had the user's name, such
as ou=user1,ou=Misc,dc=diegolima,dc=org for user1 or
ou=user2,ou=Misc,dc=diegolima,dc=org for user2, however I wouldn't
like to simply create an ACL such as:

access to dn.exact="ou=Misc,dc=diegolima,dc=org"
    by * add

as this ultimately allows user1 to create an ou named
"ou=user2,ou=Misc". What I first tried was adding an ACL like this:

access to dn.regex="^ou=([^,]+),ou=Misc,dc=diegolima,dc=org"
    by dn.exact,expand="cn=$1,dc=diegolima,dc=org" write
    by * none


However I receive an error telling me that I need write access to the
parent entry to create this, and if I use the first ACL I seem to be
able to create OUs without any naming restriction. Is there even a way
to accomplish this?

Thank you very much!

-- 
Diego Lima

Follow-Ups:
- Re: ACL Question
  - From: Christian Manal <moenoel@informatik.uni-bremen.de>

Prev by Date: Re: Glued Entries.
Next by Date: Re: Too many executing vs syncrepl
Index(es):
- Chronological
- Thread