[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Allowing ou creation
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
your example is a bit confusing.
> Hi,
>
> I got a hierarcy like this:
>
> o=basedn
> ou=adressbooks
> ou=domain,ou=adressbooks,o=basedn.
> ou=someuserid,ou=domain,ou=adressbooks,o=basedn.
Let's say, you have it like this:
o=basedn
ou=adressbooks,o=basedn
ou=example.com,ou=adressbooks,o=basedn
ou=someuserid,ou=example.com,ou=adressbooks,o=basedn.
and, for another domain domainB.com:
o=basedn
ou=adressbooks,o=basedn
ou=domainB.com,ou=adressbooks,o=basedn
ou=someuserid,ou=domainB.com,ou=adressbooks,o=basedn.
then, if you wanted user 'someuserid' to ONLY create an entry for it's own
thing, I'd write an ACL like this:
# this rule lets users of 'ispmanDomain=matcheddomain' write under
'ou=matcheddomain,ou=adressbooks,o=basedn'
access to dn.regex="^ou=(.+),ou=adressbooks,o=basedn$" attrs=children
by dn.regex="^uid=(.+),ou=users,ispmanDomain=$1,o=basedn$" write
by * none
# this rule lets a user with uid 'matcheduid' of 'ispmanDomain=matcheddomain'
write under 'ou=matcheduid,ou=matcheddomain,ou=adressbooks,o=basedn'
'ou=matcheddomain,ou=adressbooks,o=basedn'
access to dn.regex="^ou=(.+),ou=(.+),ou=adressbooks,o=basedn$"
by dn.regex="^uid=$1,ou=users,ispmanDomain=$2,o=basedn$" write
by * none
Notes:
- - the repeated use of ou is confusing, why not use something like
o=basedn
ou=adressbooks,o=basedn
domain=domainB.com,ou=adressbooks,o=basedn
user=someuserid,domain=domainB.com,ou=adressbooks,o=basedn.
- - I always use dn.regex instead of dn. dn defaults to dn.regex but it's much
clearer what you're doing.
- - I always use (.+) instead of (.*) because I want at least one character to
be present. (.*) will match the empty string.
- - I always use ^ and $ in regexes, because
ou=(.+),ou=(.+),ou=adressbooks,o=basedn
will match
something=bla,ou=xxx,ou=yyy,ou=adressbooks,o=basedn,ou=addressbooks,o=basedn
I hope that helps.
Ace
website: http://www.suares.nl * http://www.qwikzite.nl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)
iD8DBQE/s3gMy7boE8xtIjURAtPlAKCUGJsdxO1fxt8gFJOXrBPy4++usACfeKpL
ZYfUXwVOlSU2+w6CwV6XHtw=
=sqTL
-----END PGP SIGNATURE-----