I have a LDAP server runnign with the Structure:
dc=example,dc=ldap
dc=organisations
o=orga1 (objectClasses top/organisation/dcObject)
cn=ADMINS (objectClasses top/groupOfNames)
cn=USER
o=orga2
cn=ADMIN
cn=USER
cn=users (objectClasses top/organisation/dcObject)
cn=user1 (objectClasses top/person)
cn=user2
Now I whant to add some rules that only the users in the organisation groups are able to see the organisation.
the hard coded approach was quite easy to implement:
olcAccess: {1}to dn.subtree="o=orga1,dc=organizations,dc=example,dc=ldap"
by group.exact="cn=ADMINS,o=orga1,dc=organizations,dc=example,dc=ldap" write
by group.exact="cn=USER,o=orga1,dc=organizations,dc=example,dc=ldap" read
by * none
(It is important to write TWO spaces in front of the 'by' [It was an problem for a long time for me])
But I don't whant to implement these rules for every new organisation, so I tried to implement the rule with some regex magig. But I failed misserably:
olcAccess: {1}to dn.regex="^o(.+),dc=organizations,dc=example,dc=ldap$"
attrs=children
by group.exact="cn=ADMINS,o=[$1],dc=organizations,dc=example,dc=ldap$" write
by group.exact="cn=USER,o=[$1],dc=organizations,dc=example,dc=ldap$" read
by * none
This rule affects nothing. So does someone have some idea to fix my problematic?
Or is it not possible to group the members like I did?
Thanks again
Over the mailinglist I've got the hint that group.exact, is NOT doing regex evaluation.
As a workarround, I've created my own objectClass with the attributes "orgaMember" and "orgaAdmin" now it is possible to create a olcAccess rule based on these attributes. To apply this rule to all organizations a regex can be used.
olcAccess: {1}to dn.regex="^o=(.+),dc=organizations,dc=example,dc=ldap$"
by dnattr=orgaAdmin write
by dnattr=orgaMember read
by * none
I hope this will help someone.
PS. to update the objectClasses a lot of things need to be noticed. see http://www.zytrax.com/books/ldap/ch6/slapd-config.html