On Sun, 2010-02-21 at 13:54 +0100, masarati(a)aero.polimi.it wrote:
> > On Sun, 2010-02-21 at 13:26 +0100, masarati(a)aero.polimi.it wrote:
> >> > I am searching for a rule like this:
> >> >
> >> > access
> >> > to "cn=[^,]+,ou=data1,ou=data"
> >> > by dnattr="owner of node ou=data1,ou=data" write
> >> Try
> >> access to dn.children="ou=data1,ou=data"
> >> by set="[ou=data1,ou=data]/owner & user" write
> > Thanks for this hint. The man page for slapd.access currently says
> > "The statement set=<pattern> is undocumented yet". Is there
> > else a detailed documentation for this?
> Yes, it's very well hidden here
> slapd.access(5) has been on the todo list for long time...
Thanks, I think I've got the idea and how to use it for my purposes
(those sets are really powerful, my respect to the developers!).
But unfortunately I don't get it to work, I hope it's only a small
mistake by me:
by set.expand="user & ([ou=data1,ou=data]/owner)"
This does NOT work (the owner of ou=dataX,ou=data does NOT get
access to the corresponding child entries):
by set.expand="user & ([$1]/owner)"
(Of course, the first one is not exactly the same as the second one,
because the first one allows access to ALL dataX-subtrees to the owner
of the data1-subtree...)
But why does the second one not work?
Works for me, so the devil must be in the details. Try with -d acl and
see how things expand.