----- Original Message -----
Sent: Monday, December 29, 2003 1:38
AM
Subject: Problems setting up ACLs
I am having problems
configuring ACLs within OpenLDAP 2.1.25. I want to set up "inherited"
rights and sub-ACL groups.
Perhaps the easiest thing is to include a snippet of my slapd.conf and
the LDAP entries. As "user1", I am able to modify DN
cn=ACL1,ou=ACL,dc=example,dc=com, but I am not able to add sub-entries or
modify sub-entries of this DN. However, I am able to modify sub-entries
if I change the slapd.conf entries to reference the group by the exact name,
so I am sure that the problem is not one about an earlier ACL overriding these
entries. Unfortunately, this exactl name substitution is not
what I want since I intend to populate this with many ACLs and I
do not want to constantly be modifying the slapd.conf everytime a
new ACL tree is created.
Does the variable substitution (ie. use of parentheses and $1 .. $n) not
work? I saw some references to this format in various articles, but I
can't seem to get it to work.
Any help would be greatly appreciated.
Sincerely,
Richard Basch
LDIF
----
dn:
cn=ACL1,ou=ACL,dc=example,dc=com
objectClass:
groupOfUniqueNames
objectClass: top
objectClass:
extensibleObject
uniqueMember:
uid=user1,ou=People,dc=example,dc=com
uniqueMember: uid=foo
dn:
cn=ACL2,cn=HOC-I-UNIXSUN,ou=ACL,dc=example,dc=com
objectClass:
groupOfUniqueNames
objectClass: top
objectClass:
extensibleObject
uniqueMember: host=silverdome
uniqueMember:
uid=user2,ou=People,dc=example,dc=com
slapd.conf (excerpt)
----------
access to
dn=".*,ou=ACL,ou=Unix,dc=msnyuhealth,dc=org"
by dnattr=uniqueMember write
by
* none break
access to
dn="cn=(.*),ou=ACL,ou=Unix,dc=msnyuhealth,dc=org"
attrs=entry
by
group/groupOfUniqueNames/uniqueMember="cn=$1,ou=ACL,ou=Unix,dc=msnyuhealth,dc=org"
write
by * none
break
access to
dn.subtree="cn=(.*),ou=ACL,ou=Unix,dc=msnyuhealth,dc=org"
by
group/groupOfUniqueNames/uniqueMember="cn=$1,ou=ACL,ou=Unix,dc=msnyuhealth,dc=org"
write
by * none
break