Am 01.04.2011 13:25, schrieb Kilian Röhner:
- Is it possible to specify a regexp as rootdn?
No, but if you use SASL (e.g. ldapsearch -H ldapi:// -QY EXTERNAL) or proxy auth, then you can use authz-regexp to rewrite multiple DNs to a single one which you then can use as rootDN.
ok, that is, what i am alrealy doing. Currently, i bind every admin to cn=ldapadmin,XYZ but i would like to bind them to cn=<user>,cn=ldapadmin,XYZ so that i can see in the creatorsName and modifiersName of the Nodes who did what.
Would be nice for the future to have this (if this is the right place to say it).
Why don't you use ACLs to give admins the permissions they need? There's no need to abuse the rootdn for that.
- In an access-rule, i have a set like:
by set="(user + ([cn=Current,cn=Time,cn=Monitor]/monitorTimestamp)) & (this/modifiersName + this/createTimestamp)" write
You want to let bound users write to entries they created this second? Cool, but fragile since the creation might happen at the end of the second, and the next write op next second.
Yes, that is what i'm trying to do. In fact, i want some users to only allow the creation of Nodes but not the modification or deletion. The Problem is of course, that openldap has only "read" and "write" rules, while the last one usually implies that one can add, modify and delete.
Take a look at slapd.access(5). There is an "add" privilege.
Anyone has an idea why the Monitor thing is not working?
But it seems, that the Monitor-Part isn't resolved correctly (returns empty and thus empty for the whole set).
Regards, Christian Manal