Re: Does userattr="parent[1].attribute#LDAPURL" work ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I seem to have found a workaround (at least for my special case) by using a macro ACI :

(targetattr="*")(target="ldap:///cn=*,cn=($dn),o=bug")(version 3.0; acl "Test 2"; allow (all) userdn ="ldap:///o=bug??sub?(nsuniqueid=[$dn])";)

This works for my first post, which is my real life problem, where I want to give right on an object to the user whose nsuniqueid equals the cn of the object's parent.

For my second post, this workaround does not work, since it is based on a DN component, while I store the information in an attribute not used in the DN (description).

Maybe I should file a bug.

François

2006/9/25, François Beretti < francois.beretti@xxxxxxxxx>:
Hi again,

since my first post may be complex, I made a much simpler sample, with standard objects.

I created a root suffix 'o=bug'

with two ACI:
aci: (targetattr="*")(version 3.0; acl "Test"; allow (all)userattr ="description#LDAPURL";)
aci: (targetattr="*")(version 3.0; acl "Test"; allow (all)userattr ="parent[1].description#LDAPURL";)

Then I added a user, uid=testuser,o=bug

Then, an organizationalUnit, ou=testparentobject,o=bug
with the description: ldap:///o=bug??sub?(uid=testuser)

According the ACIs, testuser dhould be able to modify ou=testparentobject and to create child objects under it.

But he only can modify it.

I don't find where I made a mistake.

I join you my LDIF files and LDAP commands.


Thank you for your help

François



Here are the LDIF files :
---------- o=bug dump -------
dn: o=bug
aci: (targetattr != "userPassword") (version 3.0; acl "Anonymous access"; allow (read, search, compare)userdn = "ldap:///anyone";)
aci: (targetattr="*")(version 3.0; acl "Test"; allow (all)userattr ="description#LDAPURL";)
aci: (targetattr="*")(version 3.0; acl "Test"; allow (all)userattr ="parent[1].description#LDAPURL";)
o: bug
objectClass: top
objectClass: organization

dn: uid=testuser,o=bug
uid: testuser
givenName: Test
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: User
cn: Test User
userPassword: toto

dn: ou=testparentobject,o=bug
ou: testparentobject
description: ldap:///o=bug??sub?(uid=testuser)
objectClass: top
objectClass: organizationalunit




--------- modification command ----------
$ ldapmodify -x -D 'uid=testuser,o=bug' -w toto -f object-modification.ldif
modifying entry "ou=testparentobject,o=bug"
$

--------- creation command -----------
$ ldapadd -x -D 'uid=testuser,o=bug' -w toto -f object-creation.ldif
adding new entry "ou=testchildobject,ou=testparentobject,o=bug"
ldap_add: Insufficient access (50)
        additional info: Insufficient 'add' privilege to add the entry 'ou=testchildobject,ou=testparentobject,o=bug'.
$




---------- modification LDIF file ----------------
dn: ou=testparentobject,o=bug
changetype: modify
replace: telephoneNumber
telephoneNumber: 0123456789




---------- creation LDIF file --------------
dn: ou=testchildobject,ou=testparentobject,o=bug
objectClass: top
objectClass: organizationalUnit
ou: testchildobject







--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users

[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux