--On Thursday, January 12, 2006 3:47 PM -0500 Leeman Strout <[EMAIL PROTECTED]>
wrote:
The last attempt with my ACLs:
access to *
by dn="cn=admin,dc=nodomain" write
by self write
by * read
access to dn.regex="ou=Address Book,uid=([^,]+),ou=([^,]+),dc=nodomain$"
attrs=entry,children,@inetorgperson
by dn.exact,expand="uid=$1,ou=$2,dc=nodomain" write
access to dn.regex="ou=Address Book,uid=([^,]+),ou=([^,]+),dc=nodomain$"
attrs=entry
by dn.exact,expand="uid=$1,ou=$2,dc=nodomain" read
In addition to Aaron's response, the most important thing to always
remember about ACL's in OpenLDAP is that they *stop* at the first
applicable ACL unless you have a "by * break" statement. So all that will
ever be evaluated from your above ACLs is the very first clause, because it
catches everything. None of your ACLs past that point will ever be looked
at.
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
