[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP Access Control

To: Daniel Tiefnig <daniel.tiefnig@infonova.com>
Subject: Re: LDAP Access Control
From: Rick van Rein <rick@vanrein.org>
Date: Wed, 18 Sep 2002 22:23:03 +0200 (CEST)
Cc: openldap-software@OpenLDAP.org
In-reply-to: <ama33o$7lo$1@qmail.infonova.at>

Hi Daniel Tiefnig,

> I don't think so either. Taking the Example, the above rule will just 
> give access to
> dn=".*,cn=Torgeir,ou=people,ou=groups,dc=billy,dc=demon,dc=nl"
> which does _not_ include
> dn="cn=Torgeir,ou=people,ou=groups,dc=billy,dc=demon,dc=nl"

Agreed.

> Correctly, the ACL could be written as
> 
> access to
>    dn=".*cn=([^,]+),ou=people,ou=groups,dc=billy,dc=demon,dc=nl"
>    by dn="cn=$1,ou=people,ou=groups,dc=billy,dc=demon,dc=nl" write

Almost -- you don't want qqqcn=... to match at the start.
If anything comes before cn=... it should end in a comma, making it
    dn="(.*,)?cn=..."
    by dn="cn=$2,ou=..." write

I didn't know we could do $1 and $2 stuff in LDAP.  Pretty cool.


-Rick van Rein

Follow-Ups:
- Re: LDAP Access Control
  - From: "Ace Suares" <ace@suares.com>

References:
- Re: LDAP Access Control
  - From: Daniel Tiefnig <openldap@qmail.infonova.at>

Prev by Date: French character use in user defined Attribut or Class name
Next by Date: RE: Session Resumption problems with JSSE-OpenLDAP
Index(es):
- Chronological
- Thread