[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL's and madness
tor, 2003-02-20 kl. 09:34 skrev Mitrana Cristian:
> bonehead mistake that I am blind to.
> >
> > #authenticated users can create and modify private child entries(theory)
> > access to dn=".*,uid=.*,ou=users,ou=People,dc=home,dc=com"
> > by dn="$1" write
> > by anonymous auth
>
> I don't have an environment to test it, but you can try something of :
>
> access to dn.subtree="uid=([^,]+),ou=users,ou=People,dc=home,dc=com"
> by dn="$1,ou=users,ou=People,dc=home,dc=com write
> by * none
> (could be "children" instead of "subtree" but I don't even have
> and entry in the man section for slapd.acces).
> I'll try something that really workds when I get the chance to
> fire up slapd :) and get back to you.
That's why people will believe I'm mad.
With 2.1.8, 2.1.10 and 2.1.12, if I try:
access to dn.subtree="cn=([^,]+),dc=myorg,dc=us"
by cn=$1,dc=myorg,dc=us"
by anonymous read
by anonymous auth
I get:
"/usr/local/ldaptest/etc/openldap/slapd.conf: line 55: bad DN
"cn=([^,]+),dc=myorg,dc=us"
O.k., so I don't have uid as RDN, I have cn. But what the thingy?
Without the subtree and children styles, it works, but only partly. Then
I have to expressly put "attr=sub", "attr=children", etc. beneath the
"access to" statement. Repeat: "Even then it doesn't work properly."
Variations on it give various other no-no faults.
I have my *own* way of doing it, which works perfectly ("For Me (tm)"),
but Howard has already bitten off my ear for airing it on this list
(Sept last year), so I don't dare to, any more.
Recapping, I *do* give people in a group access to modify what is under
them in their own subtree and other RDNs various right to access those
objects (read, write etc. etc.). But, I do it my own way and don't dare
to state how on this list.
Best,
Tony
--
Tony Earnshaw
When you rob a person of his illusions,
you are robbing him of his happiness
e-post: tonni@billy.demon.nl
www: http://www.billy.demon.nl