On Sun, 2010-02-21 at 14:32 +0100, Stefan Palme wrote: > On Sun, 2010-02-21 at 13:54 +0100, masar...@aero.polimi.it wrote: > > > On Sun, 2010-02-21 at 13:26 +0100, masar...@aero.polimi.it wrote: > > >> > I am searching for a rule like this: > > >> > > > >> > access > > >> > to "cn=[^,]+,ou=data1,ou=data" attrs="attr1,attr2,attr3" > > >> > by dnattr="owner of node ou=data1,ou=data" write > > >> > > >> Try > > >> > > >> access to dn.children="ou=data1,ou=data" > > >> by set="[ou=data1,ou=data]/owner & user" write > > > > > > Thanks for this hint. The man page for slapd.access currently says > > > "The statement set=<pattern> is undocumented yet". Is there anywhere > > > else a detailed documentation for this? > > > > Yes, it's very well hidden here > > <http://www.openldap.org/faq/data/cache/1133.html> :) Updating > > slapd.access(5) has been on the todo list for long time... > > Thanks, I think I've got the idea and how to use it for my purposes > (those sets are really powerful, my respect to the developers!). > > But unfortunately I don't get it to work, I hope it's only a small > mistake by me: > > This works: > access > to dn.regex=".*,(ou=[^,]+,ou=data)" > by set.expand="user & ([ou=data1,ou=data]/owner)" > > This does NOT work (the owner of ou=dataX,ou=data does NOT get > access to the corresponding child entries): > access > to dn.regex=".*,(ou=[^,]+,ou=data)" > by set.expand="user & ([$1]/owner)"
Sorry for this, the second one DOES work. I was just a typo in my access configuration. I have another, similar problem the other way around, but I guess I will start a new thread for this... Thanks and regards -stefan-
