Tobias Franzén wrote:
I started fiddling around with regexp ACLs after I wrote my mail (I thought of it just as I was finishing the mail), and so far I have been able to limit access to the userPassword (and as such, simple binds) to users in ou=People who have a userPassword like regexp "{SASL}.+@REALM". However, I have yet to find a way to expand a regexp from the dn containing the uid, into the attrs regexp. My ACL looks something like this:
access to dn.regex="^uid=([^,]+),ou=People,dc=example,dc=com$" attrs=userPassword val.regex="{SASL}.+@EXAMPLE.COM" by self read by anonymous auth by * none
I have tried to use val.exact="{SASL}$1@EXAMPLE.COM" but it doesn't appear to expand the $1 from teh first dn.regex as I would like. Any ideas?
Your wish does not find any correspondence in the documentation. In fact, there's no possibility to have such expansion, nor it makes much sense, as there's no consequentiality implied in setting
access to dn=pattern attr=desc val=value
since
access to val=value attr=desc dn=pattern
would be exactly the same rule.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------