[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd and permissions



Well, i am using OpenLDAP version 2.1.26, now i have even added ".regex" where 
needed. But it still doesn't work :( Users still don't have write access to 
their objects inside "Domains".

Now it looks like this and should be 2.1 and 2.2 compatible :P.
access to dn.regex="ou=Domains,uid=(.*),ou=Drones,dc=unimatrix-one,dc=org"
        by dn="cn=root,dc=unimatrix-one,dc=org" write
        by dn="cn=borgd,dc=unimatrix-one,dc=org" write
        by dn.regex="uid=$1,ou=Drones,dc=unimatrix-one,dc=org" write
        by * read


Regards,
Kostko.

On Friday 09 of April 2004 15:16, Pierangelo Masarati wrote:
> depending on the version of the code you're running, this can either be
> wrong
> or right.  In 2.1, this should be almost fine; in 2.2 it's definitely
> wrong, because
> the default for DN match in <who> clauses has moved from "regex" to
> "exact", and your third <who> clause doesn't do what you expect.  This is
> very well documented in the slapd.access(5) man page that accompanies the
> code in each version (I wrote it myself, so I know it quite well) and it is
> a clear demonstration
> that default should never be trusted (I think they'll be removed at some
> point).
> It has also been mentioned many times on the mailing lists because it is
> a common
> source of errors.
-- 
Kostko <kostko@jweb-network.net>
JWeb-Network