Re: idea for access rules

[Stefan Palme <palme@kapott.org>]

On Sun, 2010-02-21 at 14:32 +0100, Stefan Palme wrote:
> On Sun, 2010-02-21 at 13:54 +0100, masarati@aero.polimi.it wrote:
> > > On Sun, 2010-02-21 at 13:26 +0100, masarati@aero.polimi.it wrote:
> > >> > I am searching for a rule like this:
> > >> >
> > >> > access
> > >> >   to "cn=[^,]+,ou=data1,ou=data" attrs="attr1,attr2,attr3"
> > >> >   by dnattr="owner of node ou=data1,ou=data" write
> > >>
> > >> Try
> > >>
> > >> access to dn.children="ou=data1,ou=data"
> > >>         by set="[ou=data1,ou=data]/owner & user" write
> > >
> > > Thanks for this hint. The man page for slapd.access currently says
> > > "The statement set=<pattern> is undocumented yet". Is there anywhere
> > > else a detailed documentation for this?
> > 
> > Yes, it's very well hidden here
> > <http://www.openldap.org/faq/data/cache/1133.html> :)  Updating
> > slapd.access(5) has been on the todo list for long time...
> 
> Thanks, I think I've got the idea and how to use it for my purposes
> (those sets are really powerful, my respect to the developers!).
> 
> But unfortunately I don't get it to work, I hope it's only a small
> mistake by me:
> 
> This works:
>   access 
>     to dn.regex=".*,(ou=[^,]+,ou=data)"
>     by set.expand="user & ([ou=data1,ou=data]/owner)"
> 
> This does NOT work (the owner of ou=dataX,ou=data does NOT get
> access to the corresponding child entries):
>   access 
>     to dn.regex=".*,(ou=[^,]+,ou=data)"
>     by set.expand="user & ([$1]/owner)"

Sorry for this, the second one DOES work. 
I was just a typo in my access configuration.

I have another, similar problem the other way around, but I guess
I will start a new thread for this...

Thanks and regards
-stefan-