[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs - match FDN to portion of attribute

To: openldap-software@openldap.org
Subject: Re: ACLs - match FDN to portion of attribute
From: Sergiy Stepanenko <ses863@mail.usask.ca>
Date: Mon, 19 Apr 2010 16:33:30 -0600
In-reply-to: <11455_1271715845_4BCCD805_11455_1097382_1_bf740161f0a93dac79a9599343ea2063.squirrel@www.aero.polimi.it>
References: <4BC49E0D.50800@mail.usask.ca> <20100414183523.GB7107@slab.skills-1st.co.uk> <4BCC9D03.2040403@mail.usask.ca> <11455_1271715845_4BCCD805_11455_1097382_1_bf740161f0a93dac79a9599343ea2063.squirrel@www.aero.polimi.it>
User-agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4

On 04/19/2010 04:04 PM, masarati@aero.polimi.it wrote:

Hi Andrew
I finally figured it out and here is what I did:

ACL
-----
access to attrs=uofsGroupRole val.regex="^([^:]+):.+$"
    by dn.exact,expand="${v1}" read
    by * none

Only attribute that contains users' dn within its value is available to
said user. It works exactly the way I want it. Only difference from
documentation is "${v1}" which explained here:
http://www.openldap.org/lists/openldap-bugs/200811/msg00078.html if you
are interested...


I've documented this feature in slapd.access(5), as part of ITS#5804.

Thanks, p.

My pleasure.

--
Sergiy Stepanenko
Systems Administrator
Information Technology Services
University of Saskatchewan
-----------------------------------
phone:    (306) 966-2762
email:sergiy.stepanenko@usask.ca

References:
- ACLs - match FDN to portion of attribute
  - From: Sergiy Stepanenko <ses863@mail.usask.ca>
- Re: ACLs - match FDN to portion of attribute
  - From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
- Re: ACLs - match FDN to portion of attribute
  - From: Sergiy Stepanenko <ses863@mail.usask.ca>

Prev by Date: Re: ACLs - match FDN to portion of attribute
Next by Date: Exception handling!!!
Index(es):
- Chronological
- Thread