[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: LDAP Access Control
> > Correctly, the ACL could be written as
> >
> > access to
> > dn=".*cn=([^,]+),ou=people,ou=groups,dc=billy,dc=demon,dc=nl"
> > by dn="cn=$1,ou=people,ou=groups,dc=billy,dc=demon,dc=nl" write
>
> Almost -- you don't want qqqcn=... to match at the start.
agreed !
> If anything comes before cn=... it should end in a comma, making it
> dn="(.*,)?cn=..."
> by dn="cn=$2,ou=..." write
I am wondering about the following:
I use: dn=".*,cn=(.*),..."
you use: dn="(.*,)?cn=(.*),..."
tony uses: ..........cn=([^,]+)...."
what should we use !?
My thoughts:
.*,cn= matches anything before ,cn= even nothing
(f.i. "qqqq,cn=" ; "u=1,cn=" ; "a=1,u=1,cn=" ; ",cn=" )
(.*,)?cn= matches anything ending in a "," before cn= even nothing
(f.i. "qqqq,cn=" ; "u=1,cn=" ; "a=1,u=1,cn=" ; ",cn=" ; "cn=")
[^,]+ matches any combination of 1 or more characters that are NOT
comma's, i.e. "a" ; "aa" but not "" ; "," ",a" "a,"
My questions:
1. is it conceivable that part of a dn contains the character "," ?
2. is it conceivable that part of a dn contains the character "=" ?
3. is there any difference between ".*,cn=" and "(.*,)?cn=" EXCEPT
that the latter would include not only all children, but also the
entry itself ?
>
> I didn't know we could do $1 and $2 stuff in LDAP. Pretty cool.
It *is* pretty cool. It allows things like:
access to dn ="u=.*,d=(.*),a=(.*),oc=(.*),app=cc"
by self read
by group= "group=managers,oc=$3,app=cc" write
by group= "group=managers,a=$2,oc=$3,app=cc" write
by group="group=managers,d=$1,a=$2,oc=$3,app=cc" write
which made me very happy.
Thanks for your remarks,
ace