[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: I need help with ACL

To: openldap-software@OpenLDAP.org
Subject: Re: I need help with ACL
From: "Ace Suares" <ace@suares.com>
Date: Wed, 11 Sep 2002 19:00:02 -0400
Content-description: Mail message body
In-reply-to: <000f01c259b3$9950c2a0$0102010a@viewww>

Hi,

Let me try to find an answer, but don't blame me if it's wrong:

> sn=toto,o=bookmarks,c=fr
> dcEntry=google,sn=toto,o=bookmarks,c=fr
> dcEntry=yahoo,sn=toto,o=bookmarks,c=fr
> sn=titi,o=bookmarks,c=fr
> dcEntry=google,sn=titi,o=bookmarks,c=fr
> dcEntry=yahoo,sn=titi,o=bookmarks,c=fr


access to "dcEntry=.*,sn=(.*),o=bookmarks,c=fr"
 by dn="sn=$1,o=bookmarks,c=fr" write
 by * read

this 'trick' depends on regular expressions; the first () in the 
what-part can be referenced as $1

So, if toto is accessing the bookmarks, the first 'by' clause will 
be:

 by sn=toto,o=bookmarks,c=fr write

and if titi is accessing the bookmarks, the first 'by' clause will

 by sn=titi,o=bookmarks,c=fr write

Greetings,
Ace

> I want toto to be able to read all bookmarks (of toto AND titi) and to be able to write only his bookmarks
> 
> I can do it with a simple ACL, but I don't know how to do for an inifinite count of users
> 
> I thought about something like this
> 
> access to ".*,sn=self,o=bookmarks,c=fr"
>    by self write
>    by * read
> 
> But it seems it doesn't work
> 
> Someone has an idea (or a better modelisation) ?
> 
> Thanks
> 
> 
> 
> 


-- 
Ace Suares, Internet Consultancy and Training
Keizersgracht 132,      1015 CW AMSTERDAM, NL
phone: 06 557 06 554    (+31 6 557 06 554) (voicebox)
fax: 08 48 707 705      (+31 84 870 770 5)
mailto:ace@suares.com   http://www.suares.com

References:
- I need help with ACL
  - From: "Christian Blavier" <cblavier@wanadoo.fr>

Prev by Date: Splitting directory over backends
Next by Date: Trying to get RH 7.3 to play nicely with OpenLDAP
Index(es):
- Chronological
- Thread