[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: "inverse" ACL

To: Norbert Klasen <norbert.klasen@daasi.de>
Subject: Re: "inverse" ACL
From: "Pierangelo Masarati" <masarati@aero.polimi.it>
Date: Sat, 30 Mar 2002 16:11:43 +0000
Cc: OpenLDAP-software@OpenLDAP.org
In-reply-to: <courier.3CA5A6F7.000018BF@mailsrv.aero.polimi.it>
References: <courier.3CA5A6F7.000018BF@mailsrv.aero.polimi.it>

Pierangelo Masarati writes:

I'm afraid there's nothing like what you need; you may try to do something this way:

access to dn.regex=".*(cn=.+)$" by group/organizationalRole/roleOccupant.regex="cn=ds-manager,$1" read # ...

maybe in an incremental form:

access to dn.regex=".*([^,]+),dc=example,dc=com" by group/organizationalRole/roleOccupant.regex="cn=ds-manager,$1,dc=example,d c= com" read

access to dn.regex=".*([^,]+,[^,]+),dc=example,dc=com" by group/organizationalRole/roleOccupant.regex="cn=ds-manager,$1,dc=example,d c= com" read

access to dn.regex=".*([^,]+,[^,]+,[^,]+),dc=example,dc=com" by group/organizationalRole/roleOccupant.regex="cn=ds-manager,$1,dc=example,d c= com" read

access to dn.regex=".*([^,]+,[^,]+,[^,]+,[^,]+),dc=example,dc=com" by group/organizationalRole/roleOccupant.regex="cn=ds-manager,$1,dc=example,d c= com" read

with the required depth ...

Note that there was a bug in 2.1 code that inhibited the appropriate evaluation of acls with regex substitution (fixed in HEAD); moreover, the group access control is not implemented yet in back-bdb.

Pierangelo.

Dr. Pierangelo Masarati | voice: +39 02 2399 8309 Dip. Ing. Aerospaziale | fax: +39 02 2399 8334 Politecnico di Milano | mailto:pierangelo.masarati@polimi.it via La Masa 34, 20156 Milano, Italy | http://www.aero.polimi.it/~masarati

References:
- Re: "inverse" ACL
  - From: "Pierangelo Masarati" <masarati@aero.polimi.it>

Prev by Date: Re: completely removing directory so i can start over
Next by Date: Re: UniversityPerson schema
Index(es):
- Chronological
- Thread