Re: dnattr access rule

[Tony Earnshaw <tonye@billy.demon.nl>]

man, 16.08.2004 kl. 12.57 skrev dju`:
[...]

> > You don't state your OL version; ACLs are sometimes different for
> > different versions.
> 
> oops, i forgot. i'm running 2.1.30 (latest stable on gentoo).

O.k.


>   However, you could better make a groupOfNames or
> > groupOfUniqueNames and give that group write access. Works for me ;)
> 
> well, in my case, one entry from ou=people will be only writable by a
> unique user, so i don't want to write as many ACL rules as ou=people
> entries in slapd.conf, and create a group for each ou=people entry.
> that's why i want to make a generic rule and use dnattr.
> 
> actually i want to give access to a certain dn stored in the parent 
> entry, and i believe dnattr is used on the entry i want to access to, 
> and not its parent. so how could i:
> 
> 1/ use $1 from dn="^.*cn=([^,]+),ou=people,dc=domain,dc=tld$"
> 2/ look at the seeAlso attribute of $1,ou=people,dc=domain,dc=tld
> 3/ give access to the dn stored in
> 
> any hint to make it work please?

I guess, if you only want to grant a single dn privileges, something
like:

access to dn.subtree=ou=people,dc=domain,dc=tld
  by dn=cn=manager,ou=people,dc=domain,dc=tld	 write
  etc

Works for me (2.2 ;)

Not much point on granting rights to a single dn, without what's below
it, but you know what you want best. Try to avoid regexps where
possible.

--Tonni

-- 
My other notebook, a Compaq 700EA, is what my cats jump off my knee and
go and sit on, when they've had enough.

mail: tonye@billy.demon.nl
http://www.billy.demon.nl