ons, 2002-09-18 kl. 02:54 skrev Ace Suares: > access to dn="cn=(.*),cn=users,dc=example.com,dc=com" > attrs=entry,children > by dn="cn=$1,cn=users,dc=example.com,dc=com" write > > gives write access to the entry and it's children to whomever > cn=(.*) happens to be. The $1 is a substitue for the first matched > parenthesis in the regular expression. > > I am not entirely sure if it works, just try it and see. > > Another, maybe more clear way would be: > > access to dn="cn=(.*),cn=users,dc=example.com,dc=com" > by dn="cn=$1,cn=users,dc=example.com,dc=com" write > > access to dn=".*,cn=(.*),cn=users,dc=example.com,dc=com" > by dn="cn=$1,cn=users,dc=example.com,dc=com" write I discussed this with Billy and we decided to give it a try. We have the time, you don't :-) The below works beautifully for: cn=App1,cn=Torgeir,ou=people,ou=groups,dc=billy,dc=demon,dc=nl access to dn=".*,cn=(.*),ou=people,ou=groups,dc=billy,dc=demon,dc=nl" attrs=entry,children by anonymous auth by dn="cn=Admin,dc=billy,dc=demon,dc=nl" write by dn="cn=$1,ou=people,ou=groups,dc=billy,dc=demon,dc=nl" write # Without the "attrs" constraint, it works as well. Superfluous, in as much as the whole dn for "cn=App1,cn=Torgeir*" belongs under Torgeir, and no-one else but Torgeir (except Admin and Manager) can read it anyway (with GQ one can see the - desired - hierarchy in tree form). I gave App1 an objectClass of top,applicationProcess. Maybe someone else has a better choice of objectClass for an application. Great, Ace! Thanks for the "food for thought." Now back to fscking PHP4. Best, Tony -- Tony Earnshaw Tha can allway tell a Yorkshireman, but tha canna tell 'im much. e-post: tonni@billy.demon.nl www: http://www.billy.demon.nl gpg public key: http://www.billy.demon.nl/tonni.armor Telefoon: (+31) (0)172 530428 Mobiel: (+31) (0)6 51153356 GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981 3BE7B981
Attachment:
signature.asc
Description: Dette er en digitalt signert meldingsdel