Hi @all,

 

I’ve tried to implement a olcAccess via regex for multiple directory entries.

The goal was to group different users in two standard groups. Each group does have other access rules. I didn’t what to do such a thing for every entry, so I thought that I’m able to do that with regexes.

But my olcAccess rules doesn’t work.

 

I’ve already posted the question to stackoverflow, but no answers till now. Here the link:

http://stackoverflow.com/questions/31693040/ldap-olcaccess-regex-are-not-working-as-expected

 

And here the rule for a regex access:

 

olcAccess: {1}to dn.regex="^o(.+),dc=organizations,dc=example,dc=ldap$"

  attrs=children

  by group.exact="cn=ADMINS,o=[$1],dc=organizations,dc=example,dc=ldap$" write

  by group.exact="cn=USER,o=[$1],dc=organizations,dc=example,dc=ldap$" read

  by * none

 

Does somebody can help me? Or is such a thing not possible to do?

 

Greetings

John

 

PS: the content from Stackoverflow:

----------------------------------------------------------------------------------------

I have a LDAP server runnign with the Structure:

dc=example,dc=ldap

   dc=organisations

      o=orga1 (objectClasses top/organisation/dcObject)

         cn=ADMINS (objectClasses top/groupOfNames)

         cn=USER

      o=orga2 

         cn=ADMIN

         cn=USER

      cn=users (objectClasses top/organisation/dcObject)

         cn=user1 (objectClasses top/person)

         cn=user2

Now I whant to add some rules that only the users in the organisation groups are able to see the organisation.

the hard coded approach was quite easy to implement:

olcAccess: {1}to dn.subtree="o=orga1,dc=organizations,dc=example,dc=ldap"

  by group.exact="cn=ADMINS,o=orga1,dc=organizations,dc=example,dc=ldap" write

  by group.exact="cn=USER,o=orga1,dc=organizations,dc=example,dc=ldap" read

  by * none

(It is important to write TWO spaces in front of the 'by' [It was an problem for a long time for me])

But I don't whant to implement these rules for every new organisation, so I tried to implement the rule with some regex magig. But I failed misserably:

olcAccess: {1}to dn.regex="^o(.+),dc=organizations,dc=example,dc=ldap$"

  attrs=children

  by group.exact="cn=ADMINS,o=[$1],dc=organizations,dc=example,dc=ldap$" write

  by group.exact="cn=USER,o=[$1],dc=organizations,dc=example,dc=ldap$" read

  by * none

This rule affects nothing. So does someone have some idea to fix my problematic?

Or is it not possible to group the members like I did?

Thanks again

 

 

--

Johannes Fischer

Research Fellow

Fraunhofer Institute for

Manufacturing Engineering and Automation IPA

 

Competence Centre Digital Tools for Manufactoring

 

Nobelstrasse 12 │ 70569 Stuttgart  |  Germany

Phone +49 711 970-1217

 

Johannes.Fischer@ipa.fraunhofer.de

www.ipa.fraunhofer.de