[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Allowing ou creation

To: openldap-software@OpenLDAP.org
Subject: Re: Allowing ou creation
From: Ace Suares <ace@suares.nl>
Date: Thu, 13 Nov 2003 08:24:43 -0400
Content-description: clearsigned data
Content-disposition: inline
In-reply-to: <1068723126.3272.528.camel@elprinsessekaja.mail.nu.no>
Organization: Ace Suares' Internet Consultancy
References: <1068723126.3272.528.camel@elprinsessekaja.mail.nu.no>
User-agent: KMail/1.5.1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,

your example is a bit confusing.

> Hi,
>
> I got a hierarcy like this:
>
> o=basedn
> ou=adressbooks
> ou=domain,ou=adressbooks,o=basedn.
> ou=someuserid,ou=domain,ou=adressbooks,o=basedn.

Let's say, you have it like this:
o=basedn
ou=adressbooks,o=basedn
ou=example.com,ou=adressbooks,o=basedn
ou=someuserid,ou=example.com,ou=adressbooks,o=basedn.

and, for another domain domainB.com:

o=basedn
ou=adressbooks,o=basedn
ou=domainB.com,ou=adressbooks,o=basedn
ou=someuserid,ou=domainB.com,ou=adressbooks,o=basedn.

then, if you wanted user 'someuserid' to ONLY create an entry for it's own 
thing, I'd write an ACL like this:

# this rule lets users of 'ispmanDomain=matcheddomain' write under 
	'ou=matcheddomain,ou=adressbooks,o=basedn'
access to dn.regex="^ou=(.+),ou=adressbooks,o=basedn$" attrs=children
	by dn.regex="^uid=(.+),ou=users,ispmanDomain=$1,o=basedn$" write
	by * none

# this rule lets a user with uid 'matcheduid' of 'ispmanDomain=matcheddomain' 
	write under 'ou=matcheduid,ou=matcheddomain,ou=adressbooks,o=basedn'
	'ou=matcheddomain,ou=adressbooks,o=basedn'
access to dn.regex="^ou=(.+),ou=(.+),ou=adressbooks,o=basedn$"
	by dn.regex="^uid=$1,ou=users,ispmanDomain=$2,o=basedn$" write
	by * none


Notes:
- - the repeated use of ou is confusing, why not use something like
o=basedn
ou=adressbooks,o=basedn
domain=domainB.com,ou=adressbooks,o=basedn
user=someuserid,domain=domainB.com,ou=adressbooks,o=basedn.

- - I always use dn.regex instead of dn. dn defaults to dn.regex but it's much 
clearer what you're doing.
- - I always use (.+) instead of (.*) because I want at least one character to 
be present. (.*) will match the empty string.
- - I always use ^ and $ in regexes, because
ou=(.+),ou=(.+),ou=adressbooks,o=basedn
will match
something=bla,ou=xxx,ou=yyy,ou=adressbooks,o=basedn,ou=addressbooks,o=basedn


I hope that helps.

Ace
 
website: http://www.suares.nl * http://www.qwikzite.nl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)

iD8DBQE/s3gMy7boE8xtIjURAtPlAKCUGJsdxO1fxt8gFJOXrBPy4++usACfeKpL
ZYfUXwVOlSU2+w6CwV6XHtw=
=sqTL
-----END PGP SIGNATURE-----

References:
- Allowing ou creation
  - From: Tarjei Huse <tarjei@nu.no>

Prev by Date: tls
Next by Date: Re: Problems executing slapd on different box.
Index(es):
- Chronological
- Thread