[Date Prev][Date Next] [Chronological] [Thread] [Top]

Access Control - Variables

To: openldap-software@OpenLDAP.org
Subject: Access Control - Variables
From: Timo <timo@gerichhausen.de>
Date: Fri, 24 Aug 2001 14:17:21 +0200

Dear List!

Is it possible to use Variables in ACL rules?

I'm trying to implement an access-control structure for a
hardware-management-database.
Since it will be used for multiple customers, each customer should only
"see" their hardware.

The customers will be in 
cn=XY, ou=people, o=customerorganisation, ou=customers, o=myorganisation

Their hardware will be in
myobject=XYZ, o=customerorganisation, ou=customers, o=myorganisation

The people of my organisation (who will get write access to everything)
will be in 
cn=xy, ou=peole, o=myorganisation

So my ACL has to look somehow like this:
access to dn="myobject=XYZ, o=$1, ou=customers, o=myorganisation"
        by dn="cn=*,ou=peole, o=myorganisation" write
        by dn="cn=XY, ou=people, o=$1, ou=customers, o=myorganisation"
write

Somewhere I've seen ACL-descriptions like these:
access to dn="(.*)?, o=$1, ou=customers, o=myorganisation"
        by dn="(.*)?, ou=peole, o=myorganisation" write
        by dn="(.*)?, ou=people, o=$1, ou=customers, o=myorganisation"
write
        
My Questions:
A: Will both of the above ACLS work, and, if, where is the difference?
B: Will the Variable "o=$1" work? If not, how can I get a similar result
without hard-coding
   every customer in the ACL?

Thanks for your help
Timo Boettcher

Follow-Ups:
- Re: Access Control - Variables
  - From: Pierangelo Masarati <masarati@aero.polimi.it>

Prev by Date: Ldapmodify giving Insufficient Access
Next by Date: Re: Access Control - Variables
Index(es):
- Chronological
- Thread