[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: extended acl

To: "Ivan Leong" <ivanl@pacific.net.sg>
Subject: Re: extended acl
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Mon, 14 Jun 1999 22:41:50 -0700
Cc: <OpenLDAP-devel@OpenLDAP.org>
In-reply-to: <NDBBJCODHKOEMPLCNOFGOEICCBAA.ivanl@pacific.net.sg>

At 11:18 AM 6/15/99 +0800, Ivan Leong wrote:
>each user can only look/search/write to his record
>and his records in his addr book subtree.

Regex to the rescue...  (please excuse minor syntax errors)

# user can write to mail entries below self
access to dn=mail=[^,]+,mail=([^,]+)
	by dn=mail=$1 write

# user can write to ANY entries below self
access to dn=.*,mail=([^,]+)
	by dn=mail=$1 write

Both of these would still require a self write rule.
Or you could:

access to dn=(.*,)?mail=([^,]+)
	by dn=mail=$2 write

>my question is, is anyone extending on openldap's
>acl?

As needed, yes.  But you're more than welcomed to
contribute.

>support a new keyword "parent" might do it.

I think regex handles this simple case well.

Kurt

Follow-Ups:
- RE: extended acl
  - From: "Ivan Leong" <ivanl@pacific.net.sg>

References:
- extended acl
  - From: "Ivan Leong" <ivanl@pacific.net.sg>

Prev by Date: extended acl
Next by Date: RE: extended acl
Index(es):
- Chronological
- Thread