Am 30.09.2010 02:04, schrieb Diego Lima:
Hello all,
I have the following structure on my LDAP server:
ou=Misc,dc=diegolima,dc=org ou=Users,dc=diegolima,dc=org
Under users I have some user accounts, such as cn=user1,ou=Users,dc=diegolima,dc=org. I'd like to allow users to create an OU under ou=Misc as long as the OU had the user's name, such as ou=user1,ou=Misc,dc=diegolima,dc=org for user1 or ou=user2,ou=Misc,dc=diegolima,dc=org for user2, however I wouldn't like to simply create an ACL such as:
access to dn.exact="ou=Misc,dc=diegolima,dc=org" by * add
as this ultimately allows user1 to create an ou named "ou=user2,ou=Misc". What I first tried was adding an ACL like this:
access to dn.regex="^ou=([^,]+),ou=Misc,dc=diegolima,dc=org" by dn.exact,expand="cn=$1,dc=diegolima,dc=org" write by * none
However I receive an error telling me that I need write access to the parent entry to create this, and if I use the first ACL I seem to be able to create OUs without any naming restriction. Is there even a way to accomplish this?
Thank you very much!
Hi,
I think you need to add write permissions for the pseudo attribute "children" of the parent. I.E. something like this:
access to dn="ou=Misc,dc=diegolima,dc=org" attrs=children by users write by * none
access to dn.regex="^ou=([^,]+),ou=Misc,dc=diegolima,dc=org$" by dn.expand="cn=$1,ou=Users,dc=diegolima,dc=org" write by * none
That way, all authenticated users are allowed to write to child entries of "ou=Misc,..." and the "dn.regex" rule then restricts to which children users may write.
Regards, Christian Manal