[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL order changes * by * read access (ITS#2068)

To: openldap-its@OpenLDAP.org
Subject: Re: ACL order changes * by * read access (ITS#2068)
From: masarati@aero.polimi.it
Date: Thu, 5 Sep 2002 06:23:04 GMT

quanah@stanford.edu wrote:
> Full_Name: Quanah Gibson-Mount
> Version: 2.1.4
> OS: Solaris 8
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (171.64.13.58)
> 
> 
> Hello,
> 
> If I create an ACL file like this:
> 
> # ACL include file for slapd
> #
> # this is specific to ldap4.stanford.edu for testing
> 
> access to *
>         by dn="cn=manager,dc=stanford,dc=edu" write
>         by group="cn=Supervisor,cn=Applications,dc=stanford,dc=edu" write
>         by group="cn=ldapAdmin,cn=Applications,dc=stanford,dc=edu" read
>         by dn="cn=replicator,cn=Applications,dc=stanford,dc=edu" read
>         by * read
> 
> access to dn=".*,cn=People,dc=stanford,dc=edu"
>         by dn="cn=SLOG-People,cn=Applications,dc=stanford,dc=edu" write
> 
> access to dn=".*,cn=Accounts,dc=stanford,dc=edu"
>         by dn="cn=SLOG-Accounts,cn=Applications,dc=stanford,dc=edu" write
> 
> Access seems to work correctly.  However, If I change the order thus:
> 
> # ACL include file for slapd
> #
> # this is specific to ldap4.stanford.edu for testing
> 
> access to dn=".*,cn=People,dc=stanford,dc=edu"
>         by dn="cn=SLOG-People,cn=Applications,dc=stanford,dc=edu" write
> 
> access to dn=".*,cn=Accounts,dc=stanford,dc=edu"
>         by dn="cn=SLOG-Accounts,cn=Applications,dc=stanford,dc=edu" write
> 
> access to *
>         by dn="cn=manager,dc=stanford,dc=edu" write
>         by group="cn=Supervisor,cn=Applications,dc=stanford,dc=edu" write
>         by group="cn=ldapAdmin,cn=Applications,dc=stanford,dc=edu" read
>         by dn="cn=replicator,cn=Applications,dc=stanford,dc=edu" read
>         by * read
> 
> 
> When I do an ldapsearch, I see only the Accounts subtree.  I would guess that
> something is incorrect in the way in which slapd parses the regexp for the first
> 2 entries in the second example.

Assuming regex on your system are working well, these ACLs allow
"cn=SLOG-People,cn=Applications,dc=stanford,dc=edu" write access
to the "cn=People" subtree, and noone else can access it or even
authenticate with a DN under that subtree; the also allow
"cn=SLOG-Accounts,cn=Applications,dc=stanford,dc=edu" write access
to the cn=Accounts subtree, noone else can access that subtree.
Everybody is then granted read access to everything except the
previous subtrees.  What DN are you binding with when you see
the "cn=Accounts" subtree, and what are you using for the rest?

Pierangelo.

-- 
Dr. Pierangelo Masarati               | voice: +39 02 2399 8309
mailto:pierangelo.masarati@polimi.it  | fax:   +39 02 2399 8334
http://www.aero.polimi.it/~masarati
Dip. Ing. Aerospaziale Politecnico di Milano,
via La Masa 34, 20156 Milano, Italy

Prev by Date: Re: Bug in slapd's acl's with SASL (ITS#2067)
Next by Date: Re: ACL order changes * by * read access (ITS#2068)
Index(es):
- Chronological
- Thread