[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: LDAP Access Control
> tir, 2002-09-17 kl. 19:12 skrev Flavio Alves:
>
> > I'm new to LDAP, and I have some doubts regarding LDAP it self and ACL.
>
> So'm I and so have I.
No doubts, but still very new ;-)
>
> > What I really need is that a User (Jonny Gogogo for instance) to have access
> > to it's entry and also it's subtree.
> > When A user authenticates, he gains access to this entries...
> > + -- cn=User X,cn=users,dc=example,dc=com
> > + -- cn=Application 1,cn=User X,cn=users,dc=example,dc=com
> > + -- cn=Application 2,cn=User X,cn=users,dc=example,dc=com
> > + -- cn=Application 3,cn=User X,cn=users,dc=example,dc=com
>
access to dn="cn=(.*),cn=users,dc=example.com,dc=com"
attrs=entry,children
by dn="cn=$1,cn=users,dc=example.com,dc=com" write
gives write access to the entry and it's children to whomever
cn=(.*) happens to be. The $1 is a substitue for the first matched
parenthesis in the regular expression.
I am not entirely sure if it works, just try it and see.
Another, maybe more clear way would be:
access to dn="cn=(.*),cn=users,dc=example.com,dc=com"
by dn="cn=$1,cn=users,dc=example.com,dc=com" write
access to dn=".*,cn=(.*),cn=users,dc=example.com,dc=com"
by dn="cn=$1,cn=users,dc=example.com,dc=com" write
Note that the first parenthesis are NOT the first regular
expression; but only the first () will be substituted for $1, the
second for $2 etc.
All the above rules have an implicit
by * none
so, don't be surprised about that !
Cheers,
ace