ons, 2002-09-18 kl. 02:54 skrev Ace Suares:
> access to dn="cn=(.*),cn=users,dc=example.com,dc=com"
> attrs=entry,children
> by dn="cn=$1,cn=users,dc=example.com,dc=com" write
>
> gives write access to the entry and it's children to whomever
> cn=(.*) happens to be. The $1 is a substitue for the first matched
> parenthesis in the regular expression.
>
> I am not entirely sure if it works, just try it and see.
>
> Another, maybe more clear way would be:
>
> access to dn="cn=(.*),cn=users,dc=example.com,dc=com"
> by dn="cn=$1,cn=users,dc=example.com,dc=com" write
>
> access to dn=".*,cn=(.*),cn=users,dc=example.com,dc=com"
> by dn="cn=$1,cn=users,dc=example.com,dc=com" write
I discussed this with Billy and we decided to give it a try. We have the
time, you don't :-)
The below works beautifully for:
cn=App1,cn=Torgeir,ou=people,ou=groups,dc=billy,dc=demon,dc=nl
access to dn=".*,cn=(.*),ou=people,ou=groups,dc=billy,dc=demon,dc=nl"
attrs=entry,children
by anonymous auth
by dn="cn=Admin,dc=billy,dc=demon,dc=nl" write
by dn="cn=$1,ou=people,ou=groups,dc=billy,dc=demon,dc=nl" write
#
Without the "attrs" constraint, it works as well. Superfluous, in as
much as the whole dn for "cn=App1,cn=Torgeir*" belongs under Torgeir,
and no-one else but Torgeir (except Admin and Manager) can read it
anyway (with GQ one can see the - desired - hierarchy in tree form).
I gave App1 an objectClass of top,applicationProcess. Maybe someone else
has a better choice of objectClass for an application.
Great, Ace! Thanks for the "food for thought." Now back to fscking PHP4.
Best,
Tony
--
Tony Earnshaw
Tha can allway tell a Yorkshireman, but tha canna tell 'im much.
e-post: tonni@billy.demon.nl
www: http://www.billy.demon.nl
gpg public key: http://www.billy.demon.nl/tonni.armor
Telefoon: (+31) (0)172 530428
Mobiel: (+31) (0)6 51153356
GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981
3BE7B981
Attachment:
signature.asc
Description: Dette er en digitalt signert meldingsdel