Hi, I seem to have found a workaround (at least for my special case) by using a macro ACI : (targetattr="*")(target="ldap:///cn=*,cn=($dn),o=bug")(version 3.0; acl "Test 2"; allow (all) userdn ="ldap:///o=bug??sub?(nsuniqueid=[$dn])";) This works for my first post, which is my real life problem, where I want to give right on an object to the user whose nsuniqueid equals the cn of the object's parent. For my second post, this workaround does not work, since it is based on a DN component, while I store the information in an attribute not used in the DN (description). Maybe I should file a bug. Fran?ois 2006/9/25, Fran?ois Beretti <francois.beretti at gmail.com>: > > Hi again, > > since my first post may be complex, I made a much simpler sample, with > standard objects. > > I created a root suffix 'o=bug' > > with two ACI: > aci: (targetattr="*")(version 3.0; acl "Test"; allow (all)userattr > ="description#LDAPURL";) > aci: (targetattr="*")(version 3.0; acl "Test"; allow (all)userattr > ="parent[1].description#LDAPURL";) > > Then I added a user, uid=testuser,o=bug > > Then, an organizationalUnit, ou=testparentobject,o=bug > with the description: ldap:///o=bug??sub?(uid=testuser) > > According the ACIs, testuser dhould be able to modify ou=testparentobject > and to create child objects under it. > > But he only can modify it. > > I don't find where I made a mistake. > > I join you my LDIF files and LDAP commands. > > > Thank you for your help > > Fran?ois > > > > Here are the LDIF files : > ---------- o=bug dump ------- > dn: o=bug > aci: (targetattr != "userPassword") (version 3.0; acl "Anonymous access"; > allow (read, search, compare)userdn = "ldap:///anyone";;) > aci: (targetattr="*")(version 3.0; acl "Test"; allow (all)userattr > ="description#LDAPURL";) > aci: (targetattr="*")(version 3.0; acl "Test"; allow (all)userattr > ="parent[1].description#LDAPURL";) > o: bug > objectClass: top > objectClass: organization > > dn: uid=testuser,o=bug > uid: testuser > givenName: Test > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetorgperson > sn: User > cn: Test User > userPassword: toto > > dn: ou=testparentobject,o=bug > ou: testparentobject > description: ldap:///o=bug??sub?(uid=testuser) > objectClass: top > objectClass: organizationalunit > > > > > --------- modification command ---------- > $ ldapmodify -x -D 'uid=testuser,o=bug' -w toto -f > object-modification.ldif > modifying entry "ou=testparentobject,o=bug" > $ > > --------- creation command ----------- > $ ldapadd -x -D 'uid=testuser,o=bug' -w toto -f object-creation.ldif > adding new entry "ou=testchildobject,ou=testparentobject,o=bug" > ldap_add: Insufficient access (50) > additional info: Insufficient 'add' privilege to add the entry > 'ou=testchildobject,ou=testparentobject,o=bug'. > $ > > > > > ---------- modification LDIF file ---------------- > dn: ou=testparentobject,o=bug > changetype: modify > replace: telephoneNumber > telephoneNumber: 0123456789 > > > > > ---------- creation LDIF file -------------- > dn: ou=testchildobject,ou=testparentobject,o=bug > objectClass: top > objectClass: organizationalUnit > ou: testchildobject > > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20060925/b31793ef/attachment.html
