[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL attr=children problem
Pierangelo Masarati wrote:
> On Wed, 2005-11-16 at 15:48 +0100, Jimmy Ott wrote:
>
>>>Did you read slapd.access(5)? If you didn't, go and do it. If you did,
>>>you might have misunderstood the meaning of the pseudo-attribute
>>>"children".
>
>
>>i've read it a few times, but so i've misunderstood it, my english isn't
>>very good.
>>
>>quote: "The statement attrs=<attrlist> selects the attributes the access
>>control rule applies to. It is a comma-separated list of attribute
>>types, plus the special names entry, indicating access to the entry
>>itself, and children, indicating access to the entry's children"
>>
>>what are the entry's children? not child objects of an ou?
>>and what is the right approach for my problem?
>
>
> You should go a little below. "children" grants access to child objects
> for the appropriate operations, i.e. to add a child or delete one. They
> have nothing to do with accessing the child entry itself. It's the
> "entry" pseudo-attribute that refer to the object itself (i.e., for a
> search, to the possibility to return the DN).
>
> If you look at the "OPERATION REQUIREMENTS" section, you'll see what
> access to what entities is required for each operation and each
> operation phase. Since you're using an old (and patched by the packager
> and known to be buggy) version, this section may be incomplete or even
> not present, I don't recall. In that case, I suggest you grab a more
> recent version (e.g. the one from OpenLDAP 2.2.29, or even from the 2.3
> branch, although in that case there might be small nd subtle
> differences). You may even feel like upgrading :)
>
> p.
>
>
>
>
> Ing. Pierangelo Masarati
> Responsabile Open Solution
>
> SysNet s.n.c.
> Via Dossi, 8 - 27100 Pavia - ITALIA
> http://www.sys-net.it
> ------------------------------------------
> Office: +39.02.23998309
> Mobile: +39.333.4963172
> Email: pierangelo.masarati@sys-net.it
> ------------------------------------------
>
>
>
okay,
i was too stupid to think.
i solved it now with:
access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=intra,dc=onnet,dc=ch$"
by dn.regex="^cn=postmaster,ou=$2,ou=domains,dc=intra,dc=onnet,dc=ch$"
write
yippiee! thanks for your help, you pointed me to the right approach!
cheers jimmy