Re: group.regex

["Matt M." <lmatt@ironblue.com>]

Ace Suares wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> You;ll find the answer here:
>
> 	http://www.openldap.org/lists/openldap-bugs/200310/msg00089.html
>
> and here:
>
> 	http://www.openldap.org/lists/openldap-software/200310/msg00328.html

Thanks Ace. That definitely answered my question. Still, at first I 
wasn't able to get it to work. Once I got logging enabled properly(with 
the correct log level) I was able to figure out what was going on. In my 
example:

	access to dn="cn=(.+),dc=example,dc=com"
	by group.regex="cn=$1,cn=test,dc=example,dc=com" write

This didn't work, because what happens is that write access is asked for 
and the full dn of the new entry is passed in the request. So if I want 
write access to "cn=penguin,dc=example,dc=com" and want to create an 
entry "cn=nothing,cn=penguin,dc=example,dc=com", the match from the 
above regex($1) would be "nothinig,cn=penguin". Then, the group 
"cn=nothinig,cn=penguin,cn=test,dc=example,dc=com" is searched for, and 
not found. The group should be "cn=penguin,cn=test,dc=example,dc=com". 
This ended up working:

 	access to dn=".*cn=(.+),dc=example,dc=com"
	by group.regex="cn=$1,cn=test,dc=example,dc=com" write


A note about my second question. In your messages you link to above, you 
mention that you plan to write documentation on access control. I guess 
that would be because there isn't any good documentation in existence. 
Have you had a chance to do so? If so, I would love to see what you have.

Regards,

Matt M.


> > Hi all,
> >
> > I am just beginning to learn the syntax for access control with slapd.
> > My question pertains to group regex's. The administrators manual and the
> > slapd.access man page leave me a little confused.
> >
> > Quote from the slapd.access man page:
> > ------------------------------------------------------------------------
> > The statement dn=<pattern> means that access is granted to the matching
> > DN.  The optional style qualifier dnstyle allows the  same  choices  of
> > the  dn	form of the <what> field.  In addition, the regex form of
> > pattern can exploit substring substitution of  submatches  in  the
> > <what> dn.regex  clause  by using the form $<digit>, with digit ranging
> > from 1 to 9.
> > ------------------------------------------------------------------------
> >
> > Do the submatches work for groups also. For instance, take the following:
> >
> > -------------------------------------------------------------
> > access to dn="cn=(.+),dc=example,dc=com"
> > by group.regex="cn=$1,cn=test,dc=example,dc=com" write
> > by * read
> >
> > access to * by * read
> > -------------------------------------------------------------
> >
> > If they do indeed work for group.regex, then I would expect that access
> > to an entry "cn=penguin,dc=example,dc=com" would be writable by the
> > group "cn=penguin,cn=test,dc=example,dc=com" right?
> >
> > I tried this and it didn't work. I get insuficient rights errors when
> > attempting to add an entry. Any help understanding this is appreciated.
> > I'm running openldap-2.1.21 on Linux(Fedora Core 1).
> >
> > Also, does anyone know of a good book that covers access control in
> > detail, or maybe links to some good tutorials or articles.
> >
> > Thanks,
> >
> > --
> > Matt M.
>
>
> - -- 
> Ace Suares' Internet Consultancy
> NIEUW ADRES: Postbus 2599, 4800 CN Breda
> telefoon: 06-244 33 608
> fax en voicemail: 0848-707 705
> website: http://www.suares.nl * http://www.qwikzite.nl
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)
>
> iD8DBQFAgzOmy7boE8xtIjURAiL0AJ4hRIRcoi6328l+CX8hvVVV3WxeLACfb9Q5
> Bit5JHwaBDumGz0Mm3elQGA=
> =1y2Z
> -----END PGP SIGNATURE-----