I am having problems configuring
ACLs within OpenLDAP 2.1.25. I want to set up "inherited" rights and
sub-ACL groups.
Perhaps the easiest thing is to include a snippet of my slapd.conf and the
LDAP entries. As "user1", I am able to modify DN
cn=ACL1,ou=ACL,dc=example,dc=com, but I am not able to add sub-entries or modify
sub-entries of this DN. However, I am able to modify sub-entries if I
change the slapd.conf entries to reference the group by the exact name, so I am
sure that the problem is not one about an earlier ACL overriding these
entries. Unfortunately, this exactl name substitution is not
what I want since I intend to populate this with many ACLs and I
do not want to constantly be modifying the slapd.conf everytime a
new ACL tree is created.
Does the variable substitution (ie. use of parentheses and $1 .. $n) not
work? I saw some references to this format in various articles, but I
can't seem to get it to work.
Any help would be greatly appreciated.
Sincerely,
Richard Basch
LDIF
----
dn:
cn=ACL1,ou=ACL,dc=example,dc=com
objectClass: groupOfUniqueNames objectClass: top objectClass: extensibleObject uniqueMember: uid=user1,ou=People,dc=example,dc=com uniqueMember: uid=foo
dn:
cn=ACL2,cn=HOC-I-UNIXSUN,ou=ACL,dc=example,dc=com
objectClass: groupOfUniqueNames objectClass: top objectClass: extensibleObject uniqueMember: host=silverdome uniqueMember:
uid=user2,ou=People,dc=example,dc=com
slapd.conf (excerpt)
----------
access to
dn=".*,ou=ACL,ou=Unix,dc=msnyuhealth,dc=org"
by dnattr=uniqueMember write by * none break access to
dn="cn=(.*),ou=ACL,ou=Unix,dc=msnyuhealth,dc=org"
attrs=entry
by group/groupOfUniqueNames/uniqueMember="cn=$1,ou=ACL,ou=Unix,dc=msnyuhealth,dc=org" write by * none break access to
dn.subtree="cn=(.*),ou=ACL,ou=Unix,dc=msnyuhealth,dc=org"
by group/groupOfUniqueNames/uniqueMember="cn=$1,ou=ACL,ou=Unix,dc=msnyuhealth,dc=org" write by * none break |