Hi,<br><br>Thank you very much!<br> <br>I have tried it. First it has not functioned. Then I have taken inaktin in [] and everything functions perfectly.<br><br>to dn.regex=&quot;,(uid=[^,]+,ou=people,dc=example,dc=com)$&quot;<br>

  by set.expand=&quot;[$1]/description &amp; [inaktiv]&quot; none<br>
<div class="im">  by group.exact=&quot;cn=ldapadmin,dc=example,dc=com&quot; tls_ssf=128 sasl_ssf=56 write<br>
</div>  by * +0 break<br><br>Thank once more!<br><br>Natalia<br><br><div class="gmail_quote">2012/3/22 Hallvard Breien Furuseth <span dir="ltr">&lt;<a href="mailto:h.b.furuseth@usit.uio.no">h.b.furuseth@usit.uio.no</a>&gt;</span><br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="im">On Thu, 22 Mar 2012 14:22:45 +0100, Natalia &lt;<a href="mailto:nata.cs2@gmail.com">nata.cs2@gmail.com</a>&gt; wrote:<br>

&gt; I have the following tree structure in LDAP:<br>
&gt; ou=people,dc=example,dc=com<br>
&gt;   uid=user1,ou=people,dc=example,dc=com<br>
&gt;<br>
&gt;            cn=child1,uid=user1,ou=people,dc=example,dc=com<br>
&gt;            cn=child2,uid=user1,ou=people,dc=example,dc=com<br>
&gt;    uid=user2,ou=people,dc=example,dc=com<br>
&gt; ..<br>
&gt;<br>
</div>&gt; I would like to make access in such a way: if fathers account<br>
<div class="im">&gt; (uid=user1,ou=people,dc=example,dc=com) is inactivated<br>
&gt; (description=inaktiv), all children become inaccessible.<br>
<br>
</div>Something like this, I think.  Untested, sorry.<br>
<br>
to dn.regex=&quot;,(uid=[^,]+,ou=people,dc=example,dc=com)$&quot;<br>
  by set.expand=&quot;[$1]/description &amp; inaktiv&quot; none<br>
<div class="im">  by group.exact=&quot;cn=ldapadmin,dc=example,dc=com&quot; tls_ssf=128 sasl_ssf=56 write<br>
</div>  by * +0 break<br>
<br>
I.e. access to: any children of an uid=... entry.<br>
  1. Look up &#39;description&#39; in entry $1 (&quot;uid=...), and<br>
     refuse access if it matches &#39;inaktiv&#39;.<br>
  2. For other entries, ldap admin over TLS+SASL gets full access.<br>
  3. For everyone else, skip this access statement and go<br>
     on to check the following access &#39;to&#39; statements.<br>
<br>
Drop the regexps&#39; initial &quot;,&quot; to also control the uid=... entry.<br>
Swap (1) and (2) to also give admin access to inactive subtrees.<br>
Replace (3) with e.g. &#39;by * read&#39; to instead give others read access.<br>
<div class="im"><br>
&gt; I have tried with this, but it has not functioned:<br>
&gt;  to dn.regex=&quot;uid=([^,]+),ou=people,dc=example,dc=com&quot;<br>
&gt; filter=&quot;(description=inaktiv)&quot; attrs=children<br>
&gt;   by group.exact=&quot;cn=ldapadmin,dc=example,dc=com&quot; tls_ssf=128<br>
&gt; sasl_ssf=56 write<br>
&gt;   by * none<br>
<br>
</div>That&#39;s not what &quot;()&quot; in regexps, filter, and children mean.  See<br>
man slapd.access.  The access syntax tries to make sensible access<br>
statements readable, but that doesn&#39;t mean any readable access<br>
statement is sensible:-)<br>
<br>
This is what your access statement means:<br>
<br>
When accessing e.g. the entry &quot;cn=child1,...&quot;, your dn.regex is checked<br>
against the DN, and matches.  But the filter is checked against the<br>
cn=child1 entry, not against a parent entry.  That does not match.  Nor<br>
does attrs=children usually match - that&#39;s a pseudo-attribute which<br>
Add/Delete/Rename check in the parent entry of the entry being added.<br>
<br>
So this access statement is skipped, since the &#39;to&#39; statement normally<br>
does not match.  If it had matched, you&#39;d then give write access to<br>
ldapadmin if they use TLS and SASL.  Nobody else would get access.<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Hallvard<br>
</font></span></blockquote></div><br>