[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problems setting up ACLs



I solved my issue after a few more hours...
The following slapd.conf entries seem to work.  Of course, if anyone has better suggestions, I am always eager to learn new tricks.
 
 
access to dn="cn=(.*),ou=ACL,<BASEDN>"
        by group/groupOfUniqueNames/uniqueMember="cn=$1,ou=ACL,<BASEDN>" write
        by * none break
 
access to dn=".*cn=(.*),ou=ACL,ou=Unix,dc=msnyuhealth,dc=org" attrs=entry,children
        by group/groupOfUniqueNames/uniqueMember="cn=$1,ou=ACL,<BASEDN>" write
        by * none break

----- Original Message -----
Sent: Monday, December 29, 2003 1:38 AM
Subject: Problems setting up ACLs

I am having problems configuring ACLs within OpenLDAP 2.1.25.  I want to set up "inherited" rights and sub-ACL groups.
 
Perhaps the easiest thing is to include a snippet of my slapd.conf and the LDAP entries.  As "user1", I am able to modify DN cn=ACL1,ou=ACL,dc=example,dc=com, but I am not able to add sub-entries or modify sub-entries of this DN.  However, I am able to modify sub-entries if I change the slapd.conf entries to reference the group by the exact name, so I am sure that the problem is not one about an earlier ACL overriding these entries.  Unfortunately, this exactl name substitution is not what I want since I intend to populate this with many ACLs and I do not want to constantly be modifying the slapd.conf everytime a new ACL tree is created.
 
Does the variable substitution (ie. use of parentheses and $1 .. $n) not work?  I saw some references to this format in various articles, but I can't seem to get it to work.
 
Any help would be greatly appreciated.
 
Sincerely,
Richard Basch
 
 
LDIF
----
dn: cn=ACL1,ou=ACL,dc=example,dc=com
objectClass: groupOfUniqueNames
objectClass: top
objectClass: extensibleObject
uniqueMember: uid=user1,ou=People,dc=example,dc=com
uniqueMember: uid=foo
 
dn: cn=ACL2,cn=HOC-I-UNIXSUN,ou=ACL,dc=example,dc=com
objectClass: groupOfUniqueNames
objectClass: top
objectClass: extensibleObject
uniqueMember: host=silverdome
uniqueMember: uid=user2,ou=People,dc=example,dc=com

slapd.conf (excerpt)
----------
access to dn=".*,ou=ACL,ou=Unix,dc=msnyuhealth,dc=org"
        by dnattr=uniqueMember write
        by * none break
 
access to dn="cn=(.*),ou=ACL,ou=Unix,dc=msnyuhealth,dc=org" attrs=entry
        by group/groupOfUniqueNames/uniqueMember="cn=$1,ou=ACL,ou=Unix,dc=msnyuhealth,dc=org" write
        by * none break
 
access to dn.subtree="cn=(.*),ou=ACL,ou=Unix,dc=msnyuhealth,dc=org"
        by group/groupOfUniqueNames/uniqueMember="cn=$1,ou=ACL,ou=Unix,dc=msnyuhealth,dc=org" write
        by * none break