I seem to have found a workaround (at least for my special case) by using a macro ACI :
(targetattr="*")(target="ldap:///cn=*,cn=($dn),o=bug")(version 3.0; acl "Test 2"; allow (all) userdn ="ldap:///o=bug??sub?(nsuniqueid=[$dn])";)
This works for my first post, which is my real life problem, where I want to give right on an object to the user whose nsuniqueid equals the cn of the object's parent.
For my second post, this workaround does not work, since it is based on a DN component, while I store the information in an attribute not used in the DN (description).
Maybe I should file a bug.
François
2006/9/25, François Beretti <
francois.beretti@xxxxxxxxx>:
Hi again,
since my first post may be complex, I made a much simpler sample, with standard objects.
I created a root suffix 'o=bug'
with two ACI:
aci: (targetattr="*")(version 3.0; acl "Test"; allow (all)userattr ="description#LDAPURL";)
aci: (targetattr="*")(version 3.0; acl "Test"; allow (all)userattr ="parent[1].description#LDAPURL";)
Then I added a user, uid=testuser,o=bug
Then, an organizationalUnit, ou=testparentobject,o=bug
with the description: ldap:///o=bug??sub?(uid=testuser)
According the ACIs, testuser dhould be able to modify ou=testparentobject and to create child objects under it.
But he only can modify it.
I don't find where I made a mistake.
I join you my LDIF files and LDAP commands.
Thank you for your help
François
Here are the LDIF files :
---------- o=bug dump -------
dn: o=bug
aci: (targetattr != "userPassword") (version 3.0; acl "Anonymous access"; allow (read, search, compare)userdn = "ldap:///anyone";)
aci: (targetattr="*")(version 3.0; acl "Test"; allow (all)userattr ="description#LDAPURL";)
aci: (targetattr="*")(version 3.0; acl "Test"; allow (all)userattr ="parent[1].description#LDAPURL";)
o: bug
objectClass: top
objectClass: organization
dn: uid=testuser,o=bug
uid: testuser
givenName: Test
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: User
cn: Test User
userPassword: toto
dn: ou=testparentobject,o=bug
ou: testparentobject
description: ldap:///o=bug??sub?(uid=testuser)
objectClass: top
objectClass: organizationalunit
--------- modification command ----------
$ ldapmodify -x -D 'uid=testuser,o=bug' -w toto -f object-modification.ldif
modifying entry "ou=testparentobject,o=bug"
$
--------- creation command -----------
$ ldapadd -x -D 'uid=testuser,o=bug' -w toto -f object-creation.ldif
adding new entry "ou=testchildobject,ou=testparentobject,o=bug"
ldap_add: Insufficient access (50)
additional info: Insufficient 'add' privilege to add the entry 'ou=testchildobject,ou=testparentobject,o=bug'.
$
---------- modification LDIF file ----------------
dn: ou=testparentobject,o=bug
changetype: modify
replace: telephoneNumber
telephoneNumber: 0123456789
---------- creation LDIF file --------------
dn: ou=testchildobject,ou=testparentobject,o=bug
objectClass: top
objectClass: organizationalUnit
ou: testchildobject
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
