Re: LDAP Access Control

["Ace Suares" <ace@suares.com>]

> tir, 2002-09-17 kl. 19:12 skrev Flavio Alves:
> 
> > I'm new to LDAP, and I have some doubts regarding LDAP it self and ACL.
> 
> So'm I and so have I.

No doubts, but still very new ;-)

> 
> > What I really need is that a User (Jonny Gogogo for instance) to have access
> > to it's entry and also it's subtree.
> > When A user authenticates, he gains access to this entries...
> >     + -- cn=User X,cn=users,dc=example,dc=com
> >       + -- cn=Application 1,cn=User X,cn=users,dc=example,dc=com
> >       + -- cn=Application 2,cn=User X,cn=users,dc=example,dc=com
> >       + -- cn=Application 3,cn=User X,cn=users,dc=example,dc=com
> 

access to dn="cn=(.*),cn=users,dc=example.com,dc=com" 
	attrs=entry,children
	by dn="cn=$1,cn=users,dc=example.com,dc=com" write

gives write access to the entry and it's children to whomever 
cn=(.*) happens to be. The $1 is a substitue for the first matched 
parenthesis in the regular expression.

I am not entirely sure if it works, just try it and see.

Another, maybe more clear way would be:

access to dn="cn=(.*),cn=users,dc=example.com,dc=com" 
	by dn="cn=$1,cn=users,dc=example.com,dc=com" write

access to dn=".*,cn=(.*),cn=users,dc=example.com,dc=com" 
	by dn="cn=$1,cn=users,dc=example.com,dc=com" write


Note that the first parenthesis are NOT the first regular 
expression; but only the first () will be substituted for $1, the 
second for $2 etc.

All the above rules have an implicit 
	by * none
so, don't be surprised about that !

Cheers,
ace