[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP Access Control

To: Daniel Tiefnig <daniel.tiefnig@infonova.com>
Subject: Re: LDAP Access Control
From: Tony Earnshaw <tonni@billy.demon.nl>
Date: 19 Sep 2002 14:42:56 +0200
Cc: openldap-software@OpenLDAP.org

ons, 2002-09-18 kl. 17:48 skrev Daniel Tiefnig:

> But can Torgeir change his/her/its own data?

Well, Daniel, you made me spend a morning cramming regexs and trying
things out.

The following two ACLs let Torgeir create and maintain (in the revese
order, two entirely different things) his own apps in his own tree.
No-one else can see his apps, but all in his "group" can see him and the
details (later in the ACL list, not included here) they're allowed to,
and he can see all others - but not their apps:

# Let DNs create and maintain apps in their own tree
access to dn="cn=.*,cn=(.*),ou=people,ou=groups,dc=billy,dc=demon,dc=nl"
        by anonymous auth
        by dn="cn=$1,ou=people,ou=groups,dc=billy,dc=demon,dc=nl" write
        by dn="cn=Admin,dc=billy,dc=demon,dc=nl" write

access to dn="cn=([^,]+),ou=people,ou=groups,dc=billy,dc=demon,dc=nl"
        attrs=entry,children
        by anonymous auth
        by dn="cn=$1,ou=people,ou=groups,dc=billy,dc=demon,dc=nl" write
        by dn=".*,ou=people,ou=groups,dc=billy,dc=demon,dc=nl" read
        by dn="cn=Admin,dc=billy,dc=demon,dc=nl" write

#
 
> Don't get me wrong, i believe, that you are experiencing the effect
> you describe, but i think it's due to another ACL line in your
> slapd.conf, or smth. like that.

It wasn't that. It's just that creating and maintaining are two
different things. Admin had already made the apps for him :-)

I don't understand the following regex, by the way, after having read
the necessary: It doesn't make sense to me, but it obviously works:

[^,]+

To me it says: "Everything of one character or more, but not including a
comma." As I said, it works (so does [^,]*), while .+ or .* doesn't.
What's the difference?

Best,

Tony

-- 

Tony Earnshaw

Tha can allway tell a Yorkshireman, but tha canna tell 'im much.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl
gpg public key:	http://www.billy.demon.nl/tonni.armor

Telefoon:	(+31) (0)172 530428
Mobiel:		(+31) (0)6 51153356

GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981
3BE7B981

Attachment: signature.asc
Description: Dette er en digitalt signert meldingsdel

Follow-Ups:
- Re: LDAP Access Control
  - From: Frank Swasey <Frank.Swasey@uvm.edu>

Prev by Date: Possible BUG: Error deleting entries
Next by Date: client dns lookups, can they be disabled?
Index(es):
- Chronological
- Thread