[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ACL attr=children problem
Hello,
i have some problems when trying to set ACL for my Mail LDAP tree. Here
a bit of background information:
my sample tree in short form:
dc=my,dc=domain,dc=com
-> cn=admin,dc=my,dc=domains,dc=com
-> ou=domains,dc=my,dc=domain,dc=com
-> ou=otherdomain,ou=domains,dc=my,dc=domain,dc=com
-> cn=postmaster,ou=otherdomain,ou=domains,dc=my,dc=domain,dc=com
-> cn=mailuser1,ou=otherdomain,ou=domains,dc=my,dc=domain,dc=com
-> cn=mailuser2,ou=otherdomain,ou=domains,dc=my,dc=domain,dc=com
i want to give postmasters full access to their domain ou. in this
example write access by
cn=postmaster,ou=otherdomain,ou=domains,dc=my,dc=domain,dc=com to
subtree of ou=otherdomain,ou=domains,dc=my,dc=domain,dc=com.
i tested following static acl, so that i later can change and generalize
it with regexp:
access to dn="ou=otherdomain,ou=domains,dc=my,dc=domain,dc=com"
attrs=children
by dn="cn=postmaster,ou=otherdomain,ou=domains,dc=my,dc=domain,dc=com" write
changes to object cn=mailuser1 in same ou fails with "insufficient
access", so something went wrong with pseudo attr children.
i choosed this syntax because i want to generalize it later as follows,
if i'm correct:
access to dn.regex="^ou=(.+),ou=domains,suffix$"
attrs=children
by dn.regex="^cn=postmaster,ou=$1,ou=domains,suffix$" write
so i can't use dn.subtree function, because i use the regex
functionality. this static acl works great:
access to dn.subtree="ou=otherdomain,ou=domains,dc=my,dc=domain,dc=com"
by dn="cn=postmaster,ou=otherdomain,ou=domains,dc=my,dc=domain,dc=com" write
but what is the right way to do this? i'm searching for a general acl
which controls access for each domain listed in ou domains.
my system is a brand new debian sarge machine with openldap 2.2.23-8
many thanks for your help
cheers jimmy