[Fedora-directory-users] Re: Does userattr="parent[1].attribute#LDAPURL" work ?
François Beretti
francois.beretti at gmail.com
Mon Sep 25 18:15:05 UTC 2006
Hi,
I seem to have found a workaround (at least for my special case) by using a
macro ACI :
(targetattr="*")(target="ldap:///cn=*,cn=($dn),o=bug")(version 3.0; acl
"Test 2"; allow (all) userdn ="ldap:///o=bug??sub?(nsuniqueid=[$dn])";)
This works for my first post, which is my real life problem, where I want to
give right on an object to the user whose nsuniqueid equals the cn of the
object's parent.
For my second post, this workaround does not work, since it is based on a DN
component, while I store the information in an attribute not used in the DN
(description).
Maybe I should file a bug.
François
2006/9/25, François Beretti <francois.beretti at gmail.com>:
>
> Hi again,
>
> since my first post may be complex, I made a much simpler sample, with
> standard objects.
>
> I created a root suffix 'o=bug'
>
> with two ACI:
> aci: (targetattr="*")(version 3.0; acl "Test"; allow (all)userattr
> ="description#LDAPURL";)
> aci: (targetattr="*")(version 3.0; acl "Test"; allow (all)userattr
> ="parent[1].description#LDAPURL";)
>
> Then I added a user, uid=testuser,o=bug
>
> Then, an organizationalUnit, ou=testparentobject,o=bug
> with the description: ldap:///o=bug??sub?(uid=testuser)
>
> According the ACIs, testuser dhould be able to modify ou=testparentobject
> and to create child objects under it.
>
> But he only can modify it.
>
> I don't find where I made a mistake.
>
> I join you my LDIF files and LDAP commands.
>
>
> Thank you for your help
>
> François
>
>
>
> Here are the LDIF files :
> ---------- o=bug dump -------
> dn: o=bug
> aci: (targetattr != "userPassword") (version 3.0; acl "Anonymous access";
> allow (read, search, compare)userdn = "ldap:///anyone";)
> aci: (targetattr="*")(version 3.0; acl "Test"; allow (all)userattr
> ="description#LDAPURL";)
> aci: (targetattr="*")(version 3.0; acl "Test"; allow (all)userattr
> ="parent[1].description#LDAPURL";)
> o: bug
> objectClass: top
> objectClass: organization
>
> dn: uid=testuser,o=bug
> uid: testuser
> givenName: Test
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetorgperson
> sn: User
> cn: Test User
> userPassword: toto
>
> dn: ou=testparentobject,o=bug
> ou: testparentobject
> description: ldap:///o=bug??sub?(uid=testuser)
> objectClass: top
> objectClass: organizationalunit
>
>
>
>
> --------- modification command ----------
> $ ldapmodify -x -D 'uid=testuser,o=bug' -w toto -f
> object-modification.ldif
> modifying entry "ou=testparentobject,o=bug"
> $
>
> --------- creation command -----------
> $ ldapadd -x -D 'uid=testuser,o=bug' -w toto -f object-creation.ldif
> adding new entry "ou=testchildobject,ou=testparentobject,o=bug"
> ldap_add: Insufficient access (50)
> additional info: Insufficient 'add' privilege to add the entry
> 'ou=testchildobject,ou=testparentobject,o=bug'.
> $
>
>
>
>
> ---------- modification LDIF file ----------------
> dn: ou=testparentobject,o=bug
> changetype: modify
> replace: telephoneNumber
> telephoneNumber: 0123456789
>
>
>
>
> ---------- creation LDIF file --------------
> dn: ou=testchildobject,ou=testparentobject,o=bug
> objectClass: top
> objectClass: organizationalUnit
> ou: testchildobject
>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060925/b31793ef/attachment.htm>
More information about the Fedora-directory-users
mailing list