Hello, everybody.
I have this structure:
dn: o=z objectclass: organization objectclass: top o: z
dn: domainName=example.org,o=z objectclass: mailDomain objectclass: top domainname: example.org
dn: uid=user,domainName=example.org,o=z objectclass: account objectclass: mailUser objectclass: top mail: user@example.org uid: user
and want to grant access only for members of subtree of every domainName:
dn: ou=Admins,domainName=example.org,o=z objectclass: organizationalUnit objectclass: top ou: Admins
dn: uid=postmaster,ou=Admins,domainName=example.org,o=z objectclass: account objectclass: mailAdmin objectclass: top mail: postmaster@example.org uid: postmaster
write ACL :
{0}to attrs=userPassword by self write by anonymous auth by * none {1}to dn.regex="^(.+,)?(domainName=[^,]+,o=z)$" by dn.onelevel,expand="ou=Admins,$2" write {2}to * by self write
and all working fine, but I want to add something this:
dn: uid=admin,domainName=example.org,o=z objectclass: account objectclass: mailAdmin objectclass: top mail: admin@example.org uid: admin
and rewrite ACL
to dn.regex="^(.+,)?(domainName=[^,]+,o=z)$" by dn.onelevel,expand="ou=Admins,$2" write
for grant write access for all subentries of domainName which has objectClass=mailAdmin .
Is it possible? How can I do it?
openldap-technical@openldap.org
-
Evgeny Basov