[Date Prev][Date Next] [Chronological] [Thread] [Top]

Subordinate ACL question

To: openldap-software@OpenLDAP.org
Subject: Subordinate ACL question
From: Luke Howard <lukeh@padl.com>
Date: Tue, 9 Nov 2004 20:36:37 +1100
Organization: PADL Software Pty Ltd
Versions: dmail (bsd44) 2.6d/makemail 2.10

Is the following sufficient to allow members of group cn=BAR to create
entries of objectClass favouriteDrink under cn=FOO? (Obviously the DNs
and object class are hypothetical.)

access to dn.children=cn=FOO attrs=children,entry,@favouriteDrink
	by group/group/member.exact=cn=BAR write

I'm a bit confused as the examples I've seen seem to show different
ACLs for access to children and entry. I'm using the following ACLs
successfully to allow principals to create subordinate entries to
themselves:

access to dn.regex="^cn=([^,]+),cn=FOO" attrs=children
	by dn.exact,expand="cn=$1,cn=BAR" write

access to dn.regex="^[^,]+,cn=([^,]+),cn=FOO" attrs=entry,@favouriteDrink
	by dn.exact,expand="cn=$1,cn=BAR" write

A corollary of my first question is whether these can be collapsed
to:

access to dn.regex="^cn=([^,]+),cn=FOO" attrs=children,entry,@favouriteDrink
	by dn.exact,expand="cn=$1,cn=BAR" write


-- Luke

--

Follow-Ups:
- Re: Subordinate ACL question
  - From: "Pierangelo Masarati" <ando@sys-net.it>

Prev by Date: Re: Delete entire BDB
Next by Date: Re: Subordinate ACL question
Index(es):
- Chronological
- Thread