[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL rule problem

To: openLDAP-software list <openldap-software@OpenLDAP.org>
Subject: Re: ACL rule problem
From: Jens Vagelpohl <jens@dataflake.org>
Date: Sat, 12 Feb 2005 21:35:23 +0100
In-reply-to: <69722c708c95fc6664dfae8f787510ec@dataflake.org>
References: <69722c708c95fc6664dfae8f787510ec@dataflake.org>

On Feb 12, 2005, at 20:45, Jens Vagelpohl wrote:

The ACL:
-------------------------- access to dn.regex="^(.+,)?ou=([^,]+),ou=mail,dc=mycompany,dc=com$" by group/groupOfUniqueNames/ uniqueMember.regex="^ou=$2,ou=mail,dc=mycompany,dc=com$$" write by * none --------------------------
The outcome:
---------------- => access_allowed: search access to "ou=mycompany.com,ou=mail,dc=mycompany,dc=com" "objectClass" requested => acl_get: [1] check attr objectClass => dnpat: [2] ^(.+,)?ou=([^,]+),ou=mail,dc=mycompany,dc=com$ nsub: 2 => acl_get: [2] matched => acl_get: [2] check attr objectClass <= acl_get: [2] acl ou=mycompany.com,ou=mail,dc=mycompany,dc=com attr: objectClass => acl_mask: access to entry "ou=mycompany.com,ou=mail,dc=mycompany,dc=com", attr "objectClass" requested => acl_mask: to value by "cn=jens@mycompany.com,ou=mycompany.com,ou=mail,dc=mycompany,dc=com", (=n) -----------------

As usual, a small change made it work a few minutes after posting. The working ACL looks like this, and the change simply involves removing the "$" at the end and the "^" at the front, and adding the "expand" qualifier to the "who" rule:

------------------- access to dn.regex="^(.+,)?ou=([^,]+),ou=mail,dc=mycompany,dc=com$" by group/groupOfUniqueNames/ uniqueMember.regex,expand="ou=$2,ou=mail,dc=mycompany,dc=com" write -------------------

jens

References:
- ACL rule problem
  - From: Jens Vagelpohl <jens@dataflake.org>

Prev by Date: Re: ACL rule problem
Next by Date: Re: user space attributes for ldap.conf
Index(es):
- Chronological
- Thread