Am 01.04.2011 13:25, schrieb Kilian Röhner:
>> 1. Is it possible to specify a regexp as rootdn?
> No, but if you use SASL (e.g. ldapsearch -H ldapi:// -QY EXTERNAL) or
> proxy auth, then you can use authz-regexp to rewrite multiple DNs to
> a single one which you then can use as rootDN.
ok, that is, what i am alrealy doing. Currently, i bind every admin to
cn=ldapadmin,XYZ but i would like to bind them to
cn=<user>,cn=ldapadmin,XYZ so that i can see in the creatorsName and
modifiersName of the Nodes who did what.
Would be nice for the future to have this (if this is the right place to
Why don't you use ACLs to give admins the permissions they need? There's
no need to abuse the rootdn for that.
>> 2. In an access-rule, i have a set like:
>> by set="(user + ([cn=Current,cn=Time,cn=Monitor]/monitorTimestamp)) &
>> (this/modifiersName + this/createTimestamp)" write
> You want to let bound users write to entries they created this second?
> Cool, but fragile since the creation might happen at the end of the
> second, and the next write op next second.
Yes, that is what i'm trying to do. In fact, i want some users to only
allow the creation of Nodes but not the modification or deletion. The
Problem is of course, that openldap has only "read" and "write"
while the last one usually implies that one can add, modify and delete.
Take a look at slapd.access(5). There is an "add" privilege.
Anyone has an idea why the Monitor thing is not working?
>> But it seems, that the Monitor-Part isn't resolved correctly (returns
>> empty and thus empty for the whole set).