[Date Prev][Date Next] [Chronological] [Thread] [Top]

Access Control - Variables



Dear List!

Is it possible to use Variables in ACL rules?

I'm trying to implement an access-control structure for a
hardware-management-database.
Since it will be used for multiple customers, each customer should only
"see" their hardware.

The customers will be in 
cn=XY, ou=people, o=customerorganisation, ou=customers, o=myorganisation

Their hardware will be in
myobject=XYZ, o=customerorganisation, ou=customers, o=myorganisation

The people of my organisation (who will get write access to everything)
will be in 
cn=xy, ou=peole, o=myorganisation

So my ACL has to look somehow like this:
access to dn="myobject=XYZ, o=$1, ou=customers, o=myorganisation"
        by dn="cn=*,ou=peole, o=myorganisation" write
        by dn="cn=XY, ou=people, o=$1, ou=customers, o=myorganisation"
write

Somewhere I've seen ACL-descriptions like these:
access to dn="(.*)?, o=$1, ou=customers, o=myorganisation"
        by dn="(.*)?, ou=peole, o=myorganisation" write
        by dn="(.*)?, ou=people, o=$1, ou=customers, o=myorganisation"
write
        
My Questions:
A: Will both of the above ACLS work, and, if, where is the difference?
B: Will the Variable "o=$1" work? If not, how can I get a similar result
without hard-coding
   every customer in the ACL?

Thanks for your help
Timo Boettcher