[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access control question

To: "Daniel Tiefnig" <daniel.tiefnig@infonova.at>
Subject: Re: Access control question
From: "sheujun" <sheujun@newtimetech.com>
Date: Fri, 30 Nov 2001 14:14:17 -0800
Cc: "Openldap Discussion group" <openldap-software@OpenLDAP.org>
References: <004101c17798$8ad16e80$4900a8c0@sheu> <Xns9166B2A2CB1EFdtiefniginfonova@192.168.9.70>

thanks for your help，finally i got an acl like this:

access to dn="cn=[^,]+,ou=([^,]+),dc=com"
 by dn="ou=$1,dc=com" write
 by dn="cn=*,ou=$1,dc=com" read
 by * none

access to *
    by self write
    by * none

my tree is like this:
dc=root
        ------ ou=a
                    -----cn=1
                    -----cn=2
        -------ou=b
                    -----cn=1
                    -----cn=2
the acl had achieved these effect:
1.every node write self
2.dn like cn=1,ou=a,dc=com can read other dn on level in same group
3.dn like cn=1,ou=a,dc=com can be write by its parent node

but i have a question is :
    why  cn=1,ou=a,dc=com can write cn=2,ou=a,dc=com

maybe i can't understand "$1", what it represent?


best regards,

sheujun

References:
- Access control question
  - From: "sheujun" <sheujun@newtimetech.com>
- Re: Access control question
  - From: Daniel Tiefnig <openldap@qmail.infonova.at>

Prev by Date: RE: Re: problem with database sql for ldap
Next by Date: RE: problem with searching on objectclass=bankDepartment
Index(es):
- Chronological
- Thread