Am Wed, 6 May 2009 12:39:10 -0700 schrieb Sean Burford unix.gurus@gmail.com:
On Tue, May 5, 2009 at 3:13 PM, Wolfgang Lorenz wl-chmw@gmx.de wrote:
Thank you,
I've found a way to achieve exactly what I wanted:
# self may write subentries no one else may read... access to dn.regex="^(.+,)+uid=([^,]+),ou=people,dc=example,dc=com$" by dn.regex="^uid=$2,ou=people,dc=example,dc=com$$" write
Where possible I would use the self.level{-1} syntax in preference of regexes since it is more descriptive. It also doesn't depend on the stability and performance of the OS regex libraries (which use a lot of malloc/frees).
But the regex-way gives me the possibility to give write access to the whole subtree of the binddn, whereas I wouldn't know how to do this using self.level...
Anyway, I don't expect many ldap-requests, what makes me think, that I can spare some mallocs and frees. ;-) But I can see, that this might be a problem on a bigger system with much more users, than mine.
Cheers, Wolfgang