Re: dnattr access rule

[dju` <dju.ml@elegiac.net>]

Tony Earnshaw wrote:
> man, 16.08.2004 kl. 00.09 skrev dju`:
>
> > I need to grant access to an entry (and its children) to another entry 
> > of my ldap that is listed in a specific attribute.
> >
> > I have:
> >
> > cn=foo,ou=people,dc=domain,dc=tld
> >
> > This entry has a seeAlso attribute, which contains the DN of a user able 
> > to modify it.
> >
> > seeAlso: uid=bar,ou=users,dc=domain,dc=tld
> >
> > I want to make uid=bar,ou=users able to modify cn=foo,ou=people and able 
> > to add children to it. The following access rule doesn't seem to be right:
> >
> > access to dn="^.*cn=([^,]+),ou=people,dc=domain,dc=tld$"
> > 	by dnattr=seeAlso write
> > 	by *	none
> >
> > Can you give me help for this please? Thanks for feedback.
>
>
> You don't state your OL version; ACLs are sometimes different for
> different versions.

oops, i forgot. i'm running 2.1.30 (latest stable on gentoo).

 However, you could better make a groupOfNames or
> groupOfUniqueNames and give that group write access. Works for me ;)

well, in my case, one entry from ou=people will be only writable by a
unique user, so i don't want to write as many ACL rules as ou=people
entries in slapd.conf, and create a group for each ou=people entry.
that's why i want to make a generic rule and use dnattr.

actually i want to give access to a certain dn stored in the parent 
entry, and i believe dnattr is used on the entry i want to access to, 
and not its parent. so how could i:

1/ use $1 from dn="^.*cn=([^,]+),ou=people,dc=domain,dc=tld$"
2/ look at the seeAlso attribute of $1,ou=people,dc=domain,dc=tld
3/ give access to the dn stored in

any hint to make it work please?
--
--dju`