[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs - match FDN to portion of attribute



On Tue, Apr 13, 2010 at 10:38:37AM -0600, Sergiy Stepanenko wrote:

> an Entry has attribute uofsGroupRole that may contain values like :
> uid=some_user, ou=nsids,ou=people,dc=usask,dc=ca:some_role
>
> only user with matching uid may see this attribute and its value.
>
> I tried :
> access to attrs=uofsGroupRole 
> val.regex="uid=([^,]+),ou=nsids,ou=people,dc=usask,dc=ca.*$"
>   by dn.regex="uid=$1,ou=nsids,ou=people,dc=usask,dc=ca$" read
>
> And it did not work as required. I know the problem in regex, but I can not 
> find it.

The final dollar sign in the 'by' clause needs to be escaped with a
second dollar sign - like this example from the slapd.access manpage:

           access to dn.regex="^(.+,)?uid=([^,]+),dc=[^,]+,dc=com$"
               by dn.regex="^uid=$2,dc=[^,]+,dc=com$$" write

In your case, you could probably simplify the 'by' clause like this:

access to attrs=uofsGroupRole 
  val.regex="uid=([^,]+),ou=nsids,ou=people,dc=usask,dc=ca.*$"
  by dn.exact,expand="uid=$1,ou=nsids,ou=people,dc=usask,dc=ca" read

Make sure that you have a rule that will deny access to other users.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------