[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP Access Control



Hi Daniel Tiefnig,

> I don't think so either. Taking the Example, the above rule will just 
> give access to
> dn=".*,cn=Torgeir,ou=people,ou=groups,dc=billy,dc=demon,dc=nl"
> which does _not_ include
> dn="cn=Torgeir,ou=people,ou=groups,dc=billy,dc=demon,dc=nl"

Agreed.

> Correctly, the ACL could be written as
> 
> access to
>    dn=".*cn=([^,]+),ou=people,ou=groups,dc=billy,dc=demon,dc=nl"
>    by dn="cn=$1,ou=people,ou=groups,dc=billy,dc=demon,dc=nl" write

Almost -- you don't want qqqcn=... to match at the start.
If anything comes before cn=... it should end in a comma, making it
    dn="(.*,)?cn=..."
    by dn="cn=$2,ou=..." write

I didn't know we could do $1 and $2 stuff in LDAP.  Pretty cool.


-Rick van Rein