Howard Chu wrote:> Fischer, Johannes wrote:
>> And here the rule for a regex access:
>>
>> olcAccess: {1}to dn.regex="^o(.+),dc=organizations,dc=example,dc=ldap$"
>> attrs=children
>> by group.exact="cn=ADMINS,o=[$1],dc=organizations,dc=example,dc=ldap$" write
>> by group.exact="cn=USER,o=[$1],dc=organizations,dc=example,dc=ldap$" read
>> by * none
>>
>> Does somebody can help me? Or is such a thing not possible to do?
>
> Your rule uses group.exact, which means it is NOT doing regex evaluation.
Besides that
dn.regex="^o(.+),dc=organizations,dc=example,dc=ldap$"
should probably be
dn.regex="^o=(.+),dc=organizations,dc=example,dc=ldap$"
Also the [] brackets in the who clause should be curly brackets {}.
Personally I also prefer to always use ${d1} to make it explicit that DN regex
is addressed (in opposite to val.regex referenced ${v1}.
> Read the slapd.access(5) manpage again.
Yes, one has to really spend lots of time with this man page!
Also use loglevel ..,ACL,.. to see valuable output how your ACLs are processed.
Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature