ons, 2002-09-18 kl. 14:19 skrev Ace Suares: > I would be surprised if > > > > cn=App1,cn=Torgeir,ou=people,ou=groups,dc=billy,dc=demon,dc=nl > > > > access to dn=".*,cn=(.*),ou=people,ou=groups,dc=billy,dc=demon,dc=nl" > > attrs=entry,children > > by anonymous auth > > by dn="cn=Admin,dc=billy,dc=demon,dc=nl" write > > by dn="cn=$1,ou=people,ou=groups,dc=billy,dc=demon,dc=nl" write > > > > # > would allow cn=(.*),ou=people,ou=groups,dc=billy,dc=demon,dc=nl > to be managed with this rule ! Life is full of surprises, Ace! But that is, in fact, exactly what happens. Try it for yourself. > Isn't that what was requested ? That the user can modify it's own > entry AND it's children ? That's what happens. Look at the logic of the above, it makes sense. Furthermore, start using GQ and you'll see the logic in graphical tree form. As I said, Billy and I tried it first, with both GQ and ldapsearch (ldapmodify was not necessary). > The regex u are using, will never match > cn=Billy Da Kat,ou=people,ou=groups,dc=billy,dc=demon,dc=nl > as far as I understand it. > I just want to clarify this, can you confirm ? This last I can confirm. I have no user "cn=Billy Da Kat", where did you get that one from? I *do* have a user cn=Billy,ou=people,ou=groups,dc=billy,dc=demon,dc=nl, and he can't touch what Torgeir has in his tree. Neither can I. But Torgeir can. Best, Tony -- Tony Earnshaw Tha can allway tell a Yorkshireman, but tha canna tell 'im much. e-post: tonni@billy.demon.nl www: http://www.billy.demon.nl gpg public key: http://www.billy.demon.nl/tonni.armor Telefoon: (+31) (0)172 530428 Mobiel: (+31) (0)6 51153356 GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981 3BE7B981
Attachment:
signature.asc
Description: Dette er en digitalt signert meldingsdel