[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: dnattr access rule
Tony Earnshaw wrote:
man, 16.08.2004 kl. 00.09 skrev dju`:
I need to grant access to an entry (and its children) to another entry
of my ldap that is listed in a specific attribute.
I have:
cn=foo,ou=people,dc=domain,dc=tld
This entry has a seeAlso attribute, which contains the DN of a user able
to modify it.
seeAlso: uid=bar,ou=users,dc=domain,dc=tld
I want to make uid=bar,ou=users able to modify cn=foo,ou=people and able
to add children to it. The following access rule doesn't seem to be right:
access to dn="^.*cn=([^,]+),ou=people,dc=domain,dc=tld$"
by dnattr=seeAlso write
by * none
Can you give me help for this please? Thanks for feedback.
You don't state your OL version; ACLs are sometimes different for
different versions.
oops, i forgot. i'm running 2.1.30 (latest stable on gentoo).
However, you could better make a groupOfNames or
groupOfUniqueNames and give that group write access. Works for me ;)
well, in my case, one entry from ou=people will be only writable by a
unique user, so i don't want to write as many ACL rules as ou=people
entries in slapd.conf, and create a group for each ou=people entry.
that's why i want to make a generic rule and use dnattr.
actually i want to give access to a certain dn stored in the parent
entry, and i believe dnattr is used on the entry i want to access to,
and not its parent. so how could i:
1/ use $1 from dn="^.*cn=([^,]+),ou=people,dc=domain,dc=tld$"
2/ look at the seeAlso attribute of $1,ou=people,dc=domain,dc=tld
3/ give access to the dn stored in
any hint to make it work please?
--
--dju`