Howard Chu wrote:> Fischer, Johannes wrote:
And here the rule for a regex access:
olcAccess: {1}to dn.regex="^o(.+),dc=organizations,dc=example,dc=ldap$" attrs=children by group.exact="cn=ADMINS,o=[$1],dc=organizations,dc=example,dc=ldap$" write by group.exact="cn=USER,o=[$1],dc=organizations,dc=example,dc=ldap$" read by * none
Does somebody can help me? Or is such a thing not possible to do?
Your rule uses group.exact, which means it is NOT doing regex evaluation.
Besides that
dn.regex="^o(.+),dc=organizations,dc=example,dc=ldap$"
should probably be
dn.regex="^o=(.+),dc=organizations,dc=example,dc=ldap$"
Also the [] brackets in the who clause should be curly brackets {}.
Personally I also prefer to always use ${d1} to make it explicit that DN regex is addressed (in opposite to val.regex referenced ${v1}.
Read the slapd.access(5) manpage again.
Yes, one has to really spend lots of time with this man page!
Also use loglevel ..,ACL,.. to see valuable output how your ACLs are processed.
Ciao, Michael.