[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Rights to create a new entry
After a lot of tries, I manage to autorise a user to
create a subentry of it own entry with the following
ACL :
access to dn.regex="[^,]+,(cn=[^,]+,ou=users,dc=ouba,dc=org)$"
attrs="children"
by anonymous none
by users none
access to dn.regex="[^,]+,(cn=[^,]+,ou=users,dc=ouba,dc=org)$"
by dn.exact,expand="$2" write
by anonymous none
by users none
The first one is to autorise only one level because the second
one give implicit write permission to the children attribute.
Then, in order to modify easily the entry with phpldapadmin, I
have to add this ACL :
access to dn.base="cn=SubSchema"
attrs="objectClasses,attributeTypes,ldapSyntaxes"
by anonymous none
by users read
Now, I have a little problem, because in reality, when I look
for the log, it seems the $2 is not expanded correctly :
Dec 1 15:54:24 smtp slapd[26346]: <= check a_dn_pat: $2
I'm with an openldap 2.1.30, should I upgrade to 2.2.x
serie ? Because my distribution (Gentoo) doesn't have
ebuild for this version (only a test ebuild).
Perhaps my syntax is not correct, but into the 2.1.x man
pages slapd.access, the expand, regex, etc ... are not
described well.
Thanks ...
Denis
Mailing List wrote:
Hi,
I would like to autorize my users to create new entry
below their own. I read a lot of thing into the faq,
I manage to get ACL give the right to write to an
entry below a specific entry, but impossible to give
the right to create a brand new entry. In the log file,
it claims about access to "cn=SubSchema".
Can someone say me what are the minimum rights to create
a new entry ?
Thanks in advance
Cordially
Denis