[Date Prev][Date Next] [Chronological] [Thread] [Top]

LDAP ACL Question



Hi to all,

can someone please point me the right way using ACLS ?

We're trying to setup an ACL on following criterias:
(and yes i know the schema isnt rfc compilant but it takes
 a couple of weeks to restructure all)

dn: ip=127.0.0.1,type=ftp,o=eunet,c=at
    |-> distinguishedName: uid=test,ip=127.0.0.1,type=ftp,o=eunet,c=at
    |-> dn: uid=test,ip=127.0.0.1,type=ftp,o=eunet,c=at
    |-> dn: uid=test1,ip=127.0.0.1,type=ftp,o=eunet,c=at
    |-> dn: uid=test2,ip=127.0.0.1,type=ftp,o=eunet,c=at
    ....

dn: ip=127.0.0.2,type=ftp,o=eunet,c=at
    |-> distinguishedName: uid=test,ip=127.0.0.2,type=ftp,o=eunet,c=at
    |-> dn: uid=test,ip=127.0.0.2,type=ftp,o=eunet,c=at
    |-> dn: uid=test1,ip=127.0.0.2,type=ftp,o=eunet,c=at
    |-> dn: uid=test2,ip=127.0.0.2,type=ftp,o=eunet,c=at
    ....

we want to authenticate against the trees ip=.*,type=ftp,o=eunet,c=at
 (this ones no problem)

we want to get read access to dn="ip=([^,]+),type=ftp,o=eunet,c=at
 by all uids below the $1. (this one is no problem)

we want to get write access to ip=([^,]+),type=ftp,o=eunet,c=at
 by the uid matching the ip=.* attributevalue from distinguishedName
(this ones realy not working... *grml*)
 
theres no way to use group matching cause the groupattribute is located
in the ip object not in the users object.
by changing the tree to have the group attribute in every user how can i
set up the match correctly to get one user as Adminsitrative user to 
the ip tree ??

we want to limit the users to the ip tree (no problem using regex.
   
thanks for any hint.

Kind regards

-- 
Michael Lang				       System Engineer
EUnet-AG EDV und Internetdienstleistungen  Tel: +43 1 89933118
Diefenbachgasse 35, 1150 Wien		   Fax: +4318991110118
http://www.eunet-ag.at		      Michael.Lang@eunet-ag.at