[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Attribute scope of attr=entry in an ACL
>>>> Tony Earnshaw <tonni@billy.demon.nl> 03/31/03 04:18pm >>>
>man, 2003-03-31 kl. 06:39 skrev Ace Suares:
>
>> since you are giving a base that is 'higher' than the access rules
you have,
>> it should be IMPOSSIBLE to travel 'down the tree. (At least, that's
what I
>> understand of it.)
>
>That's what I've found too. That bit seems to be logical.
Indeed ... My post was already longer than I like to send, so I did not
include all of my ACLs. These are them: (btw, is there a way to use the
substitution $1, $2, $3 if I use globs and dn.subtree rather than regexs
and attr=children,entry in the access to part?)
access to dn="cn=([^,]+),ou=([^,]+),ou=([^,]+),o=people,o=company"
attr=userPassword
by self write
by group="cn=Admin,o=company" write
by group="cn=Admin,o=people,o=company" write
by group="cn=Admin,ou=$3,o=people,o=company" write
by group="cn=Admin,ou=$2,ou=$3,o=people,o=company" write
by * compare
access to dn="dc=([^,]+),ou=email,o=internet,o=company"
attr=userPassword
by self write
by group="cn=Admin,o=company" write
by group="cn=Admin,o=internet,o=company" write
by group="cn=Admin,ou=email,o=internet,o=company" write
by group="cn=Admin,dc=$1,ou=email,o=internet,o=company" write
by group="cn=MailServers,ou=email,o=internet,o=company" read
by * compare
access to dn="cn=([^,]+),dc=([^,]+),ou=email,o=internet,o=company"
attr=userPassword
by self write
by group="cn=Admin,o=company" write
by group="cn=Admin,o=internet,o=company" write
by group="cn=Admin,ou=email,o=internet,o=company" write
by group="cn=Admin,dc=$2,ou=email,o=internet,o=company" write
by group="cn=MailServers,ou=email,o=internet,o=company" read
by * compare
access to dn.subtree="ou=hosts,o=internet,o=company" attr=userPassword
by self write
by group="cn=Admin,o=company" write
by group="cn=Admin,o=internet,o=company" write
by group="cn=Admin,ou=hosts,o=internet,o=company" write
by * compare
access to * attr=userPassword
by group="cn=Admin,o=company" write
access to dn="cn=Address Book,o=people,o=company" attrs=children,entry
by group="cn=Admin,o=company" write
by group="cn=Admin,o=people,o=company" write
by dn.children="o=people,o=company" read
access to dn="cn=Address Book,ou=([^,]+),o=people,o=company"
attrs=children,entry
by group="cn=Admin,o=company" write
by group="cn=Admin,o=people,o=company" write
by group="cn=Admin,ou=$1,o=people,o=company" write
by dn.children="ou=$1,o=people,o=company" read
access to dn="cn=Address Book,ou=([^,]+),ou=([^,]+),o=people,o=company"
attrs=childre
n,entry
by group="cn=Admin,o=company" write
by group="cn=Admin,o=people,o=company" write
by group="cn=Admin,ou=$2,o=people,o=company" write
by group="cn=Admin,ou=$1,ou=$2,o=people,o=company" write
by dn.children="ou=$1,ou=$2,o=people,o=company" read
access to dn="cn=([^,]+),ou=([^,]+),ou=([^,]+),o=people,o=company"
attr=children
by self write
by group="cn=Admin,o=company" write
by group="cn=Admin,o=people,o=company" write
by group="cn=Admin,ou=$3,o=people,o=company" write
by group="cn=Admin,ou=$2,ou=$3,o=people,o=company" write
by dn="cn=$1,ou=$2,ou=$3,o=people,o=company" write
access to dn="cn=([^,]+),ou=([^,]+),ou=([^,]+),o=people,o=company"
attr=entry
by self write
by group="cn=Admin,o=company" write
by group="cn=Admin,o=people,o=company" write
by group="cn=Admin,ou=$3,o=people,o=company" write
by group="cn=Admin,ou=$2,ou=$3,o=people,o=company" write
by users read
by * auth
access to dn="ou=([^,]+),ou=([^,]+),o=people,o=company"
attrs=children,entry
by group="cn=Admin,o=company" write
by group="cn=Admin,o=people,o=company" write
by group="cn=Admin,ou=$2,o=people,o=company" write
by group="cn=Admin,ou=$1,ou=$2,o=people,o=company" write
by users read
by * auth
access to dn="dc=([^,]+),ou=email,o=internet,o=company"
attrs=children,entry
by self write
by group="cn=Admin,o=company" write
by group="cn=Admin,o=internet,o=company" write
by group="cn=Admin,ou=email,o=internet,o=company" write
by group="cn=Admin,dc=$1,ou=email,o=internet,o=company" write
by * auth
access to dn.subtree="ou=hosts,o=internet,o=company"
by self write
by group="cn=Admin,o=company" write
by group="cn=Admin,o=internet,o=company" write
by group="cn=Admin,ou=hosts,o=internet,o=company" write
by * auth
access to dn.subtree="o=internet,o=company"
by self write
by group="cn=Admin,o=company" write
by group="cn=Admin,o=internet,o=company" write
access to dn="ou=([^,]+),ou=([^,]+),o=([^,]+),o=company"
attrs=children,entry
by self write
by group="cn=Admin,o=company" write
by group="cn=Admin,o=$3,o=company" write
by group="cn=Admin,ou=$2,o=$3,o=company" write
by group="cn=Admin,ou=$1,ou=$2,o=$3,o=company" write
by users read
access to dn="ou=([^,]+),o=([^,]+),o=company" attrs=children,entry
by self write
by group="cn=Admin,o=company" write
by group="cn=Admin,o=$2,o=company" write
by group="cn=Admin,ou=$1,o=$2,o=company" write
by users read
access to dn="o=([^,]+),o=company" attrs=children,entry
by self write
by group="cn=Admin,o=company" write
by group="cn=Admin,o=$1,o=company" write
by users read
access to dn="o=company" attrs=children,entry
by self write
by group="cn=Admin,o=company" write
by users read
by * auth
>
>> I tested with a very very simple ACL. Maybe that's good for you too.
Just make
>> up ONE ACL that's very very simple and that restrcits access to the
first
>> level. Then add rules and see what changes. And tell us !
(Especially if you
>> solved it !)
I did that also, but I just can't get these to work. Looking at the
output of slapd -d -1, when "attr=entry" is not on the one line <access
to dn="cn=([^,]+),ou=([^,]+),ou=([^,]+),o=people,o=company" attr=entry>,
the search is accepted there. With "attr=entry" present, it is the same
as with all the other matches -- no joy.
>
>I do what Mike wants, and my method works for me. My problem is that
>regexes for Openldap do not seem to work like any other regexes on
this
>earth. Like SpamAssassin Perl regexes follow *completely* the Perl
>manuals and *always* work like one supposes they should. Openldap
>regexes need a fairy with a magic wand to make work and defy all
logic.
>However, the good news is, that they work in the end. Though how I
still
>don't know.
>
>Anybody wants to write off list, I'll give him my method; if I post
it
>here, I'll get shot down in flames; life is already difficult enough.
Let's see ... what was that e-mail address again??
>
>Best,
>
>Tony
>
>--
>
>Tony Earnshaw
>sny" attr=entry
by self
>e-post: by self write
tonni@billy.demon.nl
>www: http://www.billy.demon.nl