Hello all,
I have the following structure on my LDAP server:
ou=Misc,dc=diegolima,dc=org ou=Users,dc=diegolima,dc=org
Under users I have some user accounts, such as cn=user1,ou=Users,dc=diegolima,dc=org. I'd like to allow users to create an OU under ou=Misc as long as the OU had the user's name, such as ou=user1,ou=Misc,dc=diegolima,dc=org for user1 or ou=user2,ou=Misc,dc=diegolima,dc=org for user2, however I wouldn't like to simply create an ACL such as:
access to dn.exact="ou=Misc,dc=diegolima,dc=org" by * add
as this ultimately allows user1 to create an ou named "ou=user2,ou=Misc". What I first tried was adding an ACL like this:
access to dn.regex="^ou=([^,]+),ou=Misc,dc=diegolima,dc=org" by dn.exact,expand="cn=$1,dc=diegolima,dc=org" write by * none
However I receive an error telling me that I need write access to the parent entry to create this, and if I use the first ACL I seem to be able to create OUs without any naming restriction. Is there even a way to accomplish this?
Thank you very much!
Am 30.09.2010 02:04, schrieb Diego Lima:
Hello all,
I have the following structure on my LDAP server:
ou=Misc,dc=diegolima,dc=org ou=Users,dc=diegolima,dc=org
Under users I have some user accounts, such as cn=user1,ou=Users,dc=diegolima,dc=org. I'd like to allow users to create an OU under ou=Misc as long as the OU had the user's name, such as ou=user1,ou=Misc,dc=diegolima,dc=org for user1 or ou=user2,ou=Misc,dc=diegolima,dc=org for user2, however I wouldn't like to simply create an ACL such as:
access to dn.exact="ou=Misc,dc=diegolima,dc=org" by * add
as this ultimately allows user1 to create an ou named "ou=user2,ou=Misc". What I first tried was adding an ACL like this:
access to dn.regex="^ou=([^,]+),ou=Misc,dc=diegolima,dc=org" by dn.exact,expand="cn=$1,dc=diegolima,dc=org" write by * none
However I receive an error telling me that I need write access to the parent entry to create this, and if I use the first ACL I seem to be able to create OUs without any naming restriction. Is there even a way to accomplish this?
Thank you very much!
Hi,
I think you need to add write permissions for the pseudo attribute "children" of the parent. I.E. something like this:
access to dn="ou=Misc,dc=diegolima,dc=org" attrs=children by users write by * none
access to dn.regex="^ou=([^,]+),ou=Misc,dc=diegolima,dc=org$" by dn.expand="cn=$1,ou=Users,dc=diegolima,dc=org" write by * none
That way, all authenticated users are allowed to write to child entries of "ou=Misc,..." and the "dn.regex" rule then restricts to which children users may write.
Regards, Christian Manal
Hi again!
I managed to get it working by doing this:
Access to dn.regex="^ou=([^,]+),ou=Misc,dc=diegolima,dc=org$" by dn.exact,expand="cn=$1,ou=users,dc=diegolima,dc=org" write by * read
Access to dn="ou=Misc,dc=diegolima,dc=org" attrs=children by users write by * read
I actually needed to use "dn.exact,expand" instead of just "dn.expand" as it was not matching the client properly. I'm still trying to figure out why, so if anyone can explain this to me I'd be very appreciative :)
Anyway, its working now! Thank you!
2010/9/30 Christian Manal moenoel@informatik.uni-bremen.de:
Am 30.09.2010 02:04, schrieb Diego Lima:
Hello all,
I have the following structure on my LDAP server:
ou=Misc,dc=diegolima,dc=org ou=Users,dc=diegolima,dc=org
Under users I have some user accounts, such as cn=user1,ou=Users,dc=diegolima,dc=org. I'd like to allow users to create an OU under ou=Misc as long as the OU had the user's name, such as ou=user1,ou=Misc,dc=diegolima,dc=org for user1 or ou=user2,ou=Misc,dc=diegolima,dc=org for user2, however I wouldn't like to simply create an ACL such as:
access to dn.exact="ou=Misc,dc=diegolima,dc=org" by * add
as this ultimately allows user1 to create an ou named "ou=user2,ou=Misc". What I first tried was adding an ACL like this:
access to dn.regex="^ou=([^,]+),ou=Misc,dc=diegolima,dc=org" by dn.exact,expand="cn=$1,dc=diegolima,dc=org" write by * none
However I receive an error telling me that I need write access to the parent entry to create this, and if I use the first ACL I seem to be able to create OUs without any naming restriction. Is there even a way to accomplish this?
Thank you very much!
Hi,
I think you need to add write permissions for the pseudo attribute "children" of the parent. I.E. something like this:
access to dn="ou=Misc,dc=diegolima,dc=org" attrs=children by users write by * none
access to dn.regex="^ou=([^,]+),ou=Misc,dc=diegolima,dc=org$" by dn.expand="cn=$1,ou=Users,dc=diegolima,dc=org" write by * none
That way, all authenticated users are allowed to write to child entries of "ou=Misc,..." and the "dn.regex" rule then restricts to which children users may write.
Regards, Christian Manal
openldap-technical@openldap.org
-
Christian Manal -
Diego Lima