Hi,
I'm really new to OpenLDAP and try to grant domain-admins access to their domain-subtree in our historicaly grown LDAP Structure.
The Structure is like this:
ou=somedomain.tld,ou=mail,dc=example,dc=tld ou=admins,ou=somedomain.tld,ou=mail,dc=example,dc=tld cn=admin@somedomain.tld,ou=admins,ou=somedomain.tld,ou=mail,dc=example,dc=tld
The ACL I try to use (according to [1]) is:
access to dn.regex=".+,ou=([^,]+),ou=mail,dc=example,dc=tld$" by dn.onelevel,expand="ou=admins,ou=$1,ou=mail,dc=example,dc=tld" write by * break
but it doesn't take effect. After hours of thinking about the problem and searching in the internet I still can't get the poit.
Thank you for reading, Ole
Hi,
Am Fri, 28 Jun 2013 16:50:37 +0200 schrieb Ole ole@free.de:
The ACL I try to use (according to [1]) is:
access to dn.regex=".+,ou=([^,]+),ou=mail,dc=example,dc=tld$" by dn.onelevel,expand="ou=admins,ou=$1,ou=mail,dc=example,dc=tld" write by * break
but it doesn't take effect. After hours of thinking about the problem and searching in the internet I still can't get the poit.
I got it. The ACL should be:
access to dn.regex=".*ou=([^,]+),ou=mail,dc=example,dc=tld$" by dn.onelevel,expand="ou=admins,ou=$1,ou=mail,dc=example,dc=tld" write by * break
The problem was, that ou=somedomain.tld,ou=mail,dc=example,dc=tld can't be your base dn, if you use 'dn.regex=".+,ou=...' because it means the there have to be at least one entry more. If you use '.*' instead of '.+' and leave the ',' there doesn't has to be an entry.
So with this ACL you have access to 'ou=somedomain.tld,ou=mail,dc=example,dc=tld' and to its subtree.
Regards, Ole
Am Sat, 29 Jun 2013 19:49:08 +0200 schrieb Ole ole@free.de:
access to dn.regex=".*ou=([^,]+),ou=mail,dc=example,dc=tld$" by dn.onelevel,expand="ou=admins,ou=$1,ou=mail,dc=example,dc=tld" write by * break
Oh sorry, I have to correct this. It is more secure to use:
access to dn.regex="^(.+,)?ou=([^,]+),ou=mail,dc=example,dc=tld$" by dn.onelevel,expand="ou=admins,ou=$1,ou=mail,dc=example,dc=tld" write by * break
please see [1] for explanation.
Regards, Ole
On Sat, 29 Jun 2013, Ole wrote:
Am Sat, 29 Jun 2013 19:49:08 +0200 schrieb Ole ole@free.de:
access to dn.regex=".*ou=([^,]+),ou=mail,dc=example,dc=tld$" by dn.onelevel,expand="ou=admins,ou=$1,ou=mail,dc=example,dc=tld" write by * break
Oh sorry, I have to correct this. It is more secure to use:
access to dn.regex="^(.+,)?ou=([^,]+),ou=mail,dc=example,dc=tld$" by dn.onelevel,expand="ou=admins,ou=$1,ou=mail,dc=example,dc=tld" write by * break
You changed the number of parentheses, so surely that should be $2 instead of $1 in the second line, no?
please see [1] for explanation.
Error, dangling footnote.
Philip Guenther
Am Sat, 29 Jun 2013 12:27:00 -0700 schrieb Philip Guenther guenther+ldaptech@sendmail.com:
access to dn.regex="^(.+,)?ou=([^,]+),ou=mail,dc=example,dc=tld$" by dn.onelevel,expand="ou=admins,ou=$1,ou=mail,dc=example,dc=tld" write by * break
You changed the number of parentheses, so surely that should be $2 instead of $1 in the second line, no?
Yes, you are right! It has to be $2.
please see [1] for explanation.
Error, dangling footnote.
Oh, the footnote is in the first mail ;) [1] http://www.openldap.org/faq/data/cache/973.html
Thank you for improvement! Ole
openldap-technical@openldap.org
-
Ole -
Philip Guenther