[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP Access Control



ons, 2002-09-18 kl. 14:19 skrev Ace Suares:

> I would be surprised if 

> > 
> > cn=App1,cn=Torgeir,ou=people,ou=groups,dc=billy,dc=demon,dc=nl
> > 
> > access to dn=".*,cn=(.*),ou=people,ou=groups,dc=billy,dc=demon,dc=nl"
> >         attrs=entry,children
> >         by anonymous auth
> >         by dn="cn=Admin,dc=billy,dc=demon,dc=nl" write
> >         by dn="cn=$1,ou=people,ou=groups,dc=billy,dc=demon,dc=nl" write
> > 
> > #
 
> would allow cn=(.*),ou=people,ou=groups,dc=billy,dc=demon,dc=nl
> to be managed with this rule !

Life is full of surprises, Ace! But that is, in fact, exactly what
happens. Try it for yourself.

> Isn't that what was requested ? That the user can modify it's own 
> entry AND it's children ?

That's what happens. Look at the logic of the above, it makes sense.

Furthermore, start using GQ and you'll see the logic in graphical tree
form.

As I said, Billy and I tried it first, with both GQ and ldapsearch
(ldapmodify was not necessary). 

> The regex u are using, will never match
> cn=Billy Da Kat,ou=people,ou=groups,dc=billy,dc=demon,dc=nl
> as far as I understand it.

> I just want to clarify this, can you confirm ?

This last I can confirm. I have no user "cn=Billy Da Kat", where did you
get that one from? I *do* have a user
cn=Billy,ou=people,ou=groups,dc=billy,dc=demon,dc=nl, and he can't touch
what Torgeir has in his tree. Neither can I. But Torgeir can.

Best,

Tony

-- 

Tony Earnshaw

Tha can allway tell a Yorkshireman, but tha canna tell 'im much.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl
gpg public key:	http://www.billy.demon.nl/tonni.armor

Telefoon:	(+31) (0)172 530428
Mobiel:		(+31) (0)6 51153356

GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981
3BE7B981


Attachment: signature.asc
Description: Dette er en digitalt signert meldingsdel