[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ACL by objectClass
- To: openldap-technical@openldap.org
- Subject: ACL by objectClass
- From: Evgeny Basov <ya.mwork@yandex.ru>
- Date: Tue, 12 Mar 2013 18:07:32 +0400
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1363097252; bh=az0Vp6YuOcuJ9UBOfQIpNgwBa8+6H+2TPs5tcYsiIk0=; h=Message-ID:Date:From:User-Agent:MIME-Version:To:Subject: Content-Type:Content-Transfer-Encoding; b=DHSBH3YNEIk+yq9YNGGuly7yyzu6+5IXxVKlcBcOgHacHGI3fTtt1I/j8/DJKcdpo LY9jaMElzu+aD5O3W+EEziP8J5QDsgePemOhVZ3XnPZbQxwlVKL1Dq2FELtAQmOPwj vSc54Ji0w9dgHO5t3zbVFoSE+KCZ43L+J1BqPuMo=
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130225 Thunderbird/17.0.3
Hello, everybody.
I have this structure:
dn: o=z
objectclass: organization
objectclass: top
o: z
dn: domainName=example.org,o=z
objectclass: mailDomain
objectclass: top
domainname: example.org
dn: uid=user,domainName=example.org,o=z
objectclass: account
objectclass: mailUser
objectclass: top
mail: user@example.org
uid: user
and want to grant access only for members of subtree of every domainName:
dn: ou=Admins,domainName=example.org,o=z
objectclass: organizationalUnit
objectclass: top
ou: Admins
dn: uid=postmaster,ou=Admins,domainName=example.org,o=z
objectclass: account
objectclass: mailAdmin
objectclass: top
mail: postmaster@example.org
uid: postmaster
write ACL :
{0}to attrs=userPassword
by self write
by anonymous auth
by * none
{1}to dn.regex="^(.+,)?(domainName=[^,]+,o=z)$"
by dn.onelevel,expand="ou=Admins,$2" write
{2}to *
by self write
and all working fine, but I want to add something this:
dn: uid=admin,domainName=example.org,o=z
objectclass: account
objectclass: mailAdmin
objectclass: top
mail: admin@example.org
uid: admin
and rewrite ACL
to dn.regex="^(.+,)?(domainName=[^,]+,o=z)$"
by dn.onelevel,expand="ou=Admins,$2" write
for grant write access for all subentries of domainName which has
objectClass=mailAdmin .
Is it possible? How can I do it?