[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ACI not matching attributes properly (ITS#1383)
Full_Name: Kevin McCarthy
Version: 2.0.15
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (63.149.158.90)
ACI is only working only atomically per object and not per attribute.
Here is an example.
Goal 1: allow group 2, 3 full access to matched DN
Goal 2: allow group 1 to only read cn, member attributes
access.conf file:
access to dn="(.*),ou=groups,o=(.*),o=our_company"
by aci write
by * auth
ACI info:
OpenLDAPaci: 1.2.3#entry#grant;r,s;cn,member#group#cn=group1...
OpenLDAPaci: 1.2.3#entry#grant;r,w;[all];#group#cn=group2...
OpenLDAPaci: 1.2.3#entry#grant;r,w;[all];#group#cn=group3...
groups 2 and 3 do in fact get full access but group 1 has no access whatsoever.
After consulting the author (mark valence), line 1 was rewritten the following
ways:
rewrite1: separate attributes so that each directive had only 1 attr:
OpenLDAPaci: 1.2.3#entry#grant;r,s;cn#group#cn=group1...
OpenLDAPaci: 1.2.3#entry#grant;r,s;member#group#cn=group1...
rewrite2: re-specify perms for each attribute:
OpenLDAPaci: 1.2.3#entry#grant;r,s;cn;r,s;member#group#cn=group1...
rewrite3: add '$' between directives:
OpenLDAPaci: 1.2.3#entry#grant;r,s;cn$grant;r,s;member#group#cn=group1...
After all these failed, I tried to grant [all] then prune attributes.
OpenLDAPaci: 1.2.3#entry#grant;r,s;[all];;objectclass#group#cn=group1...
This DID grant r,s to [all] but failed to remove r,s from 'objectclass' as it
was included in the result set.
Similar rewrites were done to try to remove attributes from [all] and all
failed.
My feeling is that no per-attribute directives are functioning properly, but the
[all] case works fine.
Kevin