[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Specifying write access for more then one user?



Markus Fischer wrote:
> 
>     Hi again,
> 
>     While playing around I've found the following works:
> 
> >     When I use the default permission set:
> >
> >         access to attribute=userPassword
> >             by dn="cn=admin1,ou=administrators,o=company,c=TLD" write
> >             by anonymous auth
> >             by self write
> >             by * none
> >
> >         access to *
> >             by dn="cn=admin1,ou=administrators,o=company,c=TLD" write
> >             by * read
> >
> [...]
> >         by dn="cn=*,ou=administrators,o=company,c=TLD" write
> 
>     If I write
> 
>         by dn="ou=administartors,o=company,c=TLD" write
> 
>     All works without problems.
> 
>     Still I don't understand exactly why. At least, I don't
>     understand why it does not work when I use "cn=*...".

You seem to be a bit confused about regex(7); what you want to obtain, 
that is allow al administrators to write everything, is:

access to *
	by dn="cn=.*,ou=administrators,o=company,c=TLD" write
	by ...

Note the dot ( '.' means any char, '*' means zero or more occurrences).
A better solution would be

access to *
	by dn="cn=[^,]+,ou=administrators,o=company,c=TLD" write
	by ...

which means that you give that permission only to entries whose
rdn starts with a "cn" attribute that are exactly one level
below the "ou=administrators,o=company,c=TLD" level and that have
non-empty value. This can be made even more efficient (giving up 
the starting "cn" check) by using

access to *
	by dn.one="ou=administrators,o=company,c=TLD" write
	by ...

which means that only entries exactly one level below 
"ou=administrators,o=company,c=TLD" have that permission, saving
you the regexec() call.

See the FAQ for more ACL details.

Pierangelo.

-- 
Dr. Pierangelo Masarati               | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale                | fax:   +39 02 2399 8334
Politecnico di Milano                 |
mailto:pierangelo.masarati@polimi.it
via La Masa 34, 20156 Milano, Italy   |
http://www.aero.polimi.it/~masarati