[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: About ACL
> In the original example there are users at multiple
depths in the ou=
> hierarchy. To get all that in a single rule, try this:
>
> access to dn=".+,ou=(.+),o=XYZ"
> by dn="cn=[^,]+,ou=$1,o=XYZ
>
Hello, what I would like to do is quite different.
Basically, the problem is the following:
"Given a user defined in a subtree, allow access (read-
only) only to the subtree under which the user is attached"
Suppose the user is
cn=someone,a(N)=v(N),a(N-1)=v(N-1),a(N-2)=v(N-2),...A(1)=v
(1)
he can access only the subtree
.+,a(N)=v(N),a(N-1)=v(N-1),a(N-2)=v(N-2),...A(1)=v(1)
Being the tree modified by an application, the type of the
tree nodes may vary (i.e. a(N) can be an ou or something
else).
I don't know if it's possible to express this relation with
the acl semantics
access to <what>
by <who> <policy>
because I have to define <who> as function of <what>, while
the relation above is inverted.
The inverted relation would be
given a node
a(N)=v(N),a(N-1)=v(N-1),a(N-2)=v(N-2),...,a(1)=v(1)
allow read access (if existing) to
cn=([^,]+),a(1)=v(1) or
cn=([^,]+),a(2)=v(2),a(1)=v(1) or
cn=([^,]+),a(3)=v(3),a(2)=v(2),a(1)=v(1) or
....
cn=([^,]+),a(N)=v(N),a(N-1)=v(N-1),...,a(1)=v(1)
Anyway, it sounds me very difficult to implement in a
single RE.
Thanks for your help,
L.