On 10/31/05, Samuel Tran <[EMAIL PROTECTED]> wrote: > > > >>>>>>On Wed, 2005-10-26 at 20:53 +0800, Feifei Jia wrote: > > > >>>>>> > > > >>>>>> > > > >>>>>>>Hi there, > > > >>>>>>> > > > >>>>>>>What I want to do is: > > > >>>>>>> > > > >>>>>>>Let the RDN under ou=Admin,dc=com have write permission to the RDN > > > >>>>>>>like uid=foo,ou=People,dc=com > > > >>>>>>> > > > >>>>>>> > > > >>>>>>> > > > >>>>>>Do you want any entries in ou=Admin,dc=com to be able to write to > > > >>>>>>any > > > >>>>>>entries in ou=People,dc=com? > > > >>>>>> > > > >>>>>>Sam > > > >>>>>> > > > >>>>>> > > > >>>>>> > > > >>>>>> > > > >>>>>Yes, that's exactly what I want to do. Could you tell me how to > > > >>>>>acheive this? > > > >>>>> > > > >>>>> > > > >>>>Try this: > > > >>>> > > > >>>>access to dn.subtree="ou=People,dc=com" > > > >>>> by dn.one="ou=Admin,dc=com" write > > > >>>> > > > >>>>Sam > > > >>>> > > > >>>> > > > >>>> > > > >>>If I want to use regex to let DN like > > > >>>"uid=test,ou=Admin,dc=demo1,dc=com" can write to entries in > > > >>>"ou=People,dc=demo1,dc=com", and change "demo1" to "([^,]+)" , what > > > >>>should I do? It seems I cannot combine subtree with regex. > > > >>> > > > >>> > > > >>> > > > >>According to man slapd.access, this should work for you: > > > >> > > > >>access to dn.regex="^(.+,)?ou=People,dc=([^,]+),dc=com$" > > > >> by dn.one,expand="ou=Admin,dc=$1,dc=com" > > > >> > > > >>Let me know if it is fine. > > > >> > > > >>Sam > > > >> > > > >> > > > >> > > > >> > > > > > > > >It seems not work, only get "Insufficient access (50)" error :( > > > >Maybe "dn,one" is not a good choice? > > > > > > > > > > > Sorry I forgot the access field. It should be: > > > > > > access to dn.regex="^(.+,)?ou=People,dc=([^,]+),dc=com$" > > > by dn.one,expand="ou=Admin,dc=$1,dc=com" write > > > > > > > > > -- > > > Sam > > > > > > > Actually, I did add "write" in the "by" clause that day. And I run > > "slapd -d 128", it showed something like "access denied" :( > > > > Sorry I made a mistake; it should be $2 instead of $1 in the who clause: > > access to dn.regex="^(.+,)?ou=People,dc=([^,]+),dc=com$" > by dn.one,expand="ou=Admin,dc=$2,dc=com" write > > Sam >
Cool, that works, thanks. But there's a weird problem, the "userPassword" of entries in ou=People,dc=([^,]+),dc=com, either using my slapd admin account or entries in ou=Admin,dc=$2,dc=com was invaild. I could successfully add the "userPassword", but when I used the "Password" to auth (say, ldapsearch), "ldap_bind: Invalid credentials (49)" showed up. All the entries not in ou=People,dc=([^,]+),dc=com can auth well. I added a new rule and put it before "access to attrs=userPassword" (slapd.conf default ACL): access to dn.regex="^(.+,)?ou=People,dc=([^,]+),dc=com$" attrs=userPassword Still the same :( -- Thanks~
