Hi @all, I've tried to implement a olcAccess via regex for multiple directory entries. The goal was to group different users in two standard groups. Each group does have other access rules. I didn't what to do such a thing for every entry, so I thought that I'm able to do that with regexes. But my olcAccess rules doesn't work.
I've already posted the question to stackoverflow, but no answers till now. Here the link: http://stackoverflow.com/questions/31693040/ldap-olcaccess-regex-are-not-working-as-expected And here the rule for a regex access: olcAccess: {1}to dn.regex="^o(.+),dc=organizations,dc=example,dc=ldap$" attrs=children by group.exact="cn=ADMINS,o=[$1],dc=organizations,dc=example,dc=ldap$" write by group.exact="cn=USER,o=[$1],dc=organizations,dc=example,dc=ldap$" read by * none Does somebody can help me? Or is such a thing not possible to do? Greetings John PS: the content from Stackoverflow: ---------------------------------------------------------------------------------------- I have a LDAP server runnign with the Structure: dc=example,dc=ldap dc=organisations o=orga1 (objectClasses top/organisation/dcObject) cn=ADMINS (objectClasses top/groupOfNames) cn=USER o=orga2 cn=ADMIN cn=USER cn=users (objectClasses top/organisation/dcObject) cn=user1 (objectClasses top/person) cn=user2 Now I whant to add some rules that only the users in the organisation groups are able to see the organisation. the hard coded approach was quite easy to implement: olcAccess: {1}to dn.subtree="o=orga1,dc=organizations,dc=example,dc=ldap" by group.exact="cn=ADMINS,o=orga1,dc=organizations,dc=example,dc=ldap" write by group.exact="cn=USER,o=orga1,dc=organizations,dc=example,dc=ldap" read by * none (It is important to write TWO spaces in front of the 'by' [It was an problem for a long time for me]) But I don't whant to implement these rules for every new organisation, so I tried to implement the rule with some regex magig. But I failed misserably: olcAccess: {1}to dn.regex="^o(.+),dc=organizations,dc=example,dc=ldap$" attrs=children by group.exact="cn=ADMINS,o=[$1],dc=organizations,dc=example,dc=ldap$" write by group.exact="cn=USER,o=[$1],dc=organizations,dc=example,dc=ldap$" read by * none This rule affects nothing. So does someone have some idea to fix my problematic? Or is it not possible to group the members like I did? Thanks again -- Johannes Fischer Research Fellow Fraunhofer Institute for Manufacturing Engineering and Automation IPA Competence Centre Digital Tools for Manufactoring Nobelstrasse 12 │ 70569 Stuttgart | Germany Phone +49 711 970-1217 [email protected]<mailto:[email protected]> www.ipa.fraunhofer.de<http://www.ipa.fraunhofer.de/> [cid:[email protected]]
