[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL attr=children problem

To: Pierangelo Masarati <ando@sys-net.it>
Subject: Re: ACL attr=children problem
From: Jimmy Ott <admin@onnet.ch>
Date: Wed, 16 Nov 2005 17:49:45 +0100
Cc: OpenLDAP-software@OpenLDAP.org
In-reply-to: <1132157262.3352.16.camel@ando>
References: <437B262A.3010103@onnet.ch> <1132152233.3352.7.camel@ando> <437B46AE.5010205@onnet.ch> <1132157262.3352.16.camel@ando>
User-agent: Debian Thunderbird 1.0.7 (X11/20051017)

Pierangelo Masarati wrote:
> On Wed, 2005-11-16 at 15:48 +0100, Jimmy Ott wrote:
> 
>>>Did you read slapd.access(5)?  If you didn't, go and do it.  If you did,
>>>you might have misunderstood the meaning of the pseudo-attribute
>>>"children".
> 
> 
>>i've read it a few times, but so i've misunderstood it, my english isn't
>>very good.
>>
>>quote: "The statement attrs=<attrlist> selects the attributes the access
>>control rule applies to. It is a comma-separated list of attribute
>>types, plus the special names entry, indicating access to the entry
>>itself, and children, indicating access to the entry's children"
>>
>>what are the entry's children? not child objects of an ou?
>>and what is the right approach for my problem?
> 
> 
> You should go a little below.  "children" grants access to child objects
> for the appropriate operations, i.e. to add a child or delete one.  They
> have nothing to do with accessing the child entry itself.  It's the
> "entry" pseudo-attribute that refer to the object itself (i.e., for a
> search, to the possibility to return the DN).
> 
> If you look at the "OPERATION REQUIREMENTS" section, you'll see what
> access to what entities is required for each operation and each
> operation phase.  Since you're using an old (and patched by the packager
> and known to be buggy) version, this section may be incomplete or even
> not present, I don't recall.  In that case, I suggest you grab a more
> recent version (e.g. the one from OpenLDAP 2.2.29, or even from the 2.3
> branch, although in that case there might be small nd subtle
> differences).  You may even feel like upgrading :)
> 
> p.
> 
> 
> 
> 
> Ing. Pierangelo Masarati
> Responsabile Open Solution
> 
> SysNet s.n.c.
> Via Dossi, 8 - 27100 Pavia - ITALIA
> http://www.sys-net.it
> ------------------------------------------
> Office:   +39.02.23998309          
> Mobile:   +39.333.4963172
> Email:    pierangelo.masarati@sys-net.it
> ------------------------------------------
> 
> 
> 

okay,

i was too stupid to think.
i solved it now with:

access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=intra,dc=onnet,dc=ch$"
  by dn.regex="^cn=postmaster,ou=$2,ou=domains,dc=intra,dc=onnet,dc=ch$"
write

yippiee! thanks for your help, you pointed me to the right approach!

cheers jimmy

Follow-Ups:
- Re: ACL attr=children problem
  - From: Pierangelo Masarati <ando@sys-net.it>

References:
- ACL attr=children problem
  - From: Jimmy Ott <admin@onnet.ch>
- Re: ACL attr=children problem
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: ACL attr=children problem
  - From: Jimmy Ott <admin@onnet.ch>
- Re: ACL attr=children problem
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: Re: ACL attr=children problem
Next by Date: Re: ACL attr=children problem
Index(es):
- Chronological
- Thread