[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: acl again



quote Pierangelo Masarati (8.11.2001):

> > Hi there,
> >
> > ok, the main wattles about regex i check, but why does this rule dont
> > work?
> >
> > ---
> > access to dn="(dc=[^,]+,)*(dc=[^,]+)$"
> > 	by group/organizationalRole/roleOccupant="cn=Domain Administrator, ou=Roles, $1 $2" write
>
> Before going into details, remember that ACLs and significantly regexes
> operate on NORMALIZED DNs, so you'd write:

> access to dn="(dc=[^,]+,)*(dc=[^,]+)$"
>     by group/organizationalRole/roleOccupant="cn=Domain Administrator,ou=Roles,$1$2" write

ok, now i write a rule, which works for a hierarchy of three dc-levels and
is recursive.
(that means that "cn=Domain Administrator,ou=Roles,dc=uni-leipzig,dc=de"
has all rights in "dc=imise,dc=uni-leipzig,dc=de")

access to dn="^(dc=[^,]+,)?(dc=[^,]+,)?(dc=[^,]+)"
	by group/organizationalRole/roleOccupant="cn=Domain Administrator,ou=Roles,$3" write
	by group/organizationalRole/roleOccupant="cn=Domain Administrator,ou=Roles,$2$3" write
	by group/organizationalRole/roleOccupant="cn=Domain Administrator,ou=Roles,$1$2$3" write
	by * read

with
access to dn="^(dc=[^,]+,)*(dc=[^,]+)"
there is no "three-level-restriction" but also no recursion, because i cannot use
these "by group" lists.

any ideas, how i can consolidate these two things?

   Sebastian Dietzold

-- 
Sebastian Dietzold
Institute for Medical Informatics,
Statistics and Epidemiology (IMISE)
University of Leipzig
Liebigstrasse 27
04103 Leipzig
Phone: +49 (0)341-9716114
Fax:   +49 (0)341-9716130