Am 01.04.2011 13:25, schrieb Kilian Röhner: >>> 1. Is it possible to specify a regexp as rootdn? >> >> No, but if you use SASL (e.g. ldapsearch -H ldapi:// -QY EXTERNAL) or >> proxy auth, then you can use authz-regexp to rewrite multiple DNs to >> a single one which you then can use as rootDN. > > ok, that is, what i am alrealy doing. Currently, i bind every admin to > cn=ldapadmin,XYZ but i would like to bind them to > cn=<user>,cn=ldapadmin,XYZ so that i can see in the creatorsName and > modifiersName of the Nodes who did what. > > Would be nice for the future to have this (if this is the right place to > say it).
Why don't you use ACLs to give admins the permissions they need? There's no need to abuse the rootdn for that. >>> 2. In an access-rule, i have a set like: >>> by set="(user + ([cn=Current,cn=Time,cn=Monitor]/monitorTimestamp)) & >>> (this/modifiersName + this/createTimestamp)" write >> >> You want to let bound users write to entries they created this second? >> Cool, but fragile since the creation might happen at the end of the >> second, and the next write op next second. > > Yes, that is what i'm trying to do. In fact, i want some users to only > allow the creation of Nodes but not the modification or deletion. The > Problem is of course, that openldap has only "read" and "write" rules, > while the last one usually implies that one can add, modify and delete. Take a look at slapd.access(5). There is an "add" privilege. > Anyone has an idea why the Monitor thing is not working? > >> >>> But it seems, that the Monitor-Part isn't resolved correctly (returns >>> empty and thus empty for the whole set). >> > Regards, Christian Manal
