Hi all,
I am just beginning to learn the syntax for access control with slapd.
My question pertains to group regex's. The administrators manual and the
slapd.access man page leave me a little confused.
Quote from the slapd.access man page:
------------------------------------------------------------------------
The statement dn=<pattern> means that access is granted to the matching
DN. The optional style qualifier dnstyle allows the same choices of
the dn form of the <what> field. In addition, the regex form of
pattern can exploit substring substitution of submatches in the
<what> dn.regex clause by using the form $<digit>, with digit ranging
from 1 to 9.
------------------------------------------------------------------------
Do the submatches work for groups also. For instance, take the following:
-------------------------------------------------------------
access to dn="cn=(.+),dc=example,dc=com"
by group.regex="cn=$1,cn=test,dc=example,dc=com" write
by * read
access to * by * read
-------------------------------------------------------------
If they do indeed work for group.regex, then I would expect that access
to an entry "cn=penguin,dc=example,dc=com" would be writable by the
group "cn=penguin,cn=test,dc=example,dc=com" right?
I tried this and it didn't work. I get insuficient rights errors when
attempting to add an entry. Any help understanding this is appreciated.
I'm running openldap-2.1.21 on Linux(Fedora Core 1).
Also, does anyone know of a good book that covers access control in
detail, or maybe links to some good tutorials or articles.
Thanks,
--
Matt M.