[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs on OUs and their children/leaves



--On Monday, February 21, 2005 9:43 PM +0100 Markus Wernig <listener@wernig.net> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Pierangelo Masarati wrote:

|> access to dn.sub="ou=users,dc=domain,dc=tld"
|> ~       by dnattr="ou" write
|
|
| This is wrong because, as the name says, you need to set "dnattr" to an
| attribute that is DN-valued (or nameAndOptionalUID-valued, like
| uniqueMember).  The solution to your problem is:
|
| access to dn.regex="(.+,)?(ou=[^,]+,ou=users,dc=domain,dc=tld)$"
|    by dn.exact,expand="$2" write
|
| i.e. grab the terminal portion of the DN and use it to compare with the
| identity of the operation.
|
Ciao Pierangelo

Thank you very much - this solved my problem.
I'm a bit puzzled, though ... I didn't find any reference to the
backreferencing capabilities of slapd's regex (expand=$2) in the manuals
that I read. Does anybody know where to find the appropriate
documentation (besides in the code)?


man slapd.access (5)

There is even an example of using expand provided (at least in OL 2.2.23).

--Quanah


--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

"These censorship operations against schools and libraries are stronger
than ever in the present religio-political climate. They often focus on
fantasy and sf books, which foster that deadly enemy to bigotry and blind
faith, the imagination." -- Ursula K. Le Guin