>> So why doesn't the syntax provided by faq-o-matic for granting access
...
> problem you're experiencing. Can you elaborate on it?
I can't find an example of the correct syntax (written in english as
opposed to BNF) to save my (or anyone else's)life. I believe
Mandrake's Buchan Milne has also taken a crack at this as he was the
one who originally set up the generic regex based ACL's.
http://www.openldap.org/faq/index.cgi?_highlightWords=group%20access&file=52
From the faq-o-matic, specificly:
> The above examples assume that the group members are to be found
> in the "member" attribute type of the "groupOfNames" object class.
> If you need to use a different group object and/or a different
> attribute type then use the following slapd.conf syntax:
>
>
> access to <what>
> by group/<objectclass>/<attributename>=<dn-regex> <access>
...and yet this does not work:
> access to dn.regex="([^,]+,)?ou=People,(dc=[^,]+(,dc=[^,]+)*)$"
> attrs=inetOrgPerson,mail
> by self write
> by dn.exact,expand="uid=Administrator,ou=People,$2" write
> by group/posixgroup/memberUid="cn=Domain
Controllers,ou=Group,$2" write
> by group="cn=Replicator,ou=Group,$2" write
> by users read
> by anonymous read
I really hate the idea of data redunancy when that is specifically
what databases are supposed to avoid and of course the entry below
does work but you have to keep duplicate groups in the "Access Groups"
OU:
> access to dn.regex="([^,]+,)?ou=People,(dc=[^,]+(,dc=[^,]+)*)$"
> attrs=inetOrgPerson,mail
> by self write
> by dn.exact,expand="uid=Administrator,ou=People,$2" write
> by group="cn=Domain Controllers,ou=Group,$2" write
> by group="cn=Domain Controllers,ou=Access Groups,$2" write
> by group="cn=Replicator,ou=Group,$2" write
> by users read
> by anonymous read
The error for the problem entry is:
[root@enigma 0 openldap]$ slapd -t
/etc/openldap/slapd.access.conf: line 26: group "cn=Domain
Controllers,ou=Group,$2": inappropriate syntax:
1.3.6.1.4.1.1466.115.121.1.26
...
Where can I find an english representation of the syntax for such a
reference which I assume is an OID or something?
Jim C.