[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL's using group access do not work (ITS#2118)

To: openldap-its@OpenLDAP.org
Subject: Re: ACL's using group access do not work (ITS#2118)
From: Kurt@OpenLDAP.org
Date: Mon, 7 Oct 2002 22:32:07 GMT

At 03:12 PM 2002-10-07, Quanah Gibson-Mount wrote:
>I haven't heard anything back on this from you in a bit, but I've got more exciting debugging pieces of information. ;)

Been busy... you just gave what I was just about to ask for...
the schema definition for suRegID.

>So (see output below),
>
>When it is going through looking at whether or not suRegID is a member of the group supervisor, it is doing an OID validate? Why?

Because you defined values of the attribute to be OIDs.

>Should it care about the OID of suRegID?

It cares about values of attribute.

>Also, the "oid" it is validating appears to be my suRegID number.

Yeap, 1.3.6.1.4.1.1466.155.121.1.38 is OID.

>Is this then a problem with the schema definition of suRegID?
>
>attributetype ( 1.3.6.1.4.1.299.11.1.1 NAME ( 'suRegID' )
>        EQUALITY objectIdentifierMatch
>        SYNTAX 1.3.6.1.4.1.1466.155.121.1.38 SINGLE-VALUE)

This explains the DN normalization failure.  Basically
you are trying to compare two invalid values.  The
comparison where the assertion and/or stored value is
invalid is Undefined and this results in False match.

You likely should define this to be some IA5 string with
case ignore (IA5) matching.

Kurt



>Oct  7 15:01:55 ldap2.Stanford.EDU slapd[23561]: [ID 114958 local4.debug] 
>>>>dnNormalize: 
><suRegID=85e49978f61311d2ae662436000baa77,cn=people,dc=stanford,dc=edu>
>Oct  7 15:01:55 ldap2.Stanford.EDU slapd[23561]: [ID 974938 local4.debug] normal else: validf set to ssyn_validate.
>Oct  7 15:01:55 ldap2.Stanford.EDU slapd[23561]: [ID 348223 local4.debug] ad cname: <suRegID>
>Oct  7 15:01:55 ldap2.Stanford.EDU slapd[23561]: [ID 473945 local4.debug] LDAPDN_rewrite2: validf = <\235\343\277\2201>
>Oct  7 15:01:55 ldap2.Stanford.EDU slapd[23561]: [ID 731083 local4.debug] LDAPDN_rewrite2: sat cname = <suRegID>
>Oct  7 15:01:55 ldap2.Stanford.EDU slapd[23561]: [ID 429923 local4.debug] QUANAH: oidValidate
>Oct  7 15:01:55 ldap2.Stanford.EDU slapd[23561]: [ID 487737 local4.debug] QUANAH: oidValidate: bv_val of 0 is 8
>Oct  7 15:01:55 ldap2.Stanford.EDU slapd[23561]: [ID 487965 local4.debug] QUANAH: oidValidate: bv_val of i is e
>Oct  7 15:01:55 ldap2.Stanford.EDU slapd[23561]: [ID 439323 local4.debug] QUANAH: oidValidate: OID_LEADCHAR1
>Oct  7 15:01:55 ldap2.Stanford.EDU slapd[23561]: [ID 350067 local4.debug] LDAPDN_rewrite2: rc = "21"
>Oct  7 15:01:55 ldap2.Stanford.EDU slapd[23561]: [ID 141248 local4.debug] LDAPDN_rewrite2: Returning invalid_SYNTAX.
>Oct  7 15:01:55 ldap2.Stanford.EDU slapd[23561]: [ID 928770 local4.debug] ====> Inside DN Normalization 2, returning invalid syntax.
>Oct  7 15:01:55 ldap2.Stanford.EDU slapd[23561]: [ID 233264 local4.debug] ====> value_find_ex: rc="21"
>Oct  7 15:01:55 ldap2.Stanford.EDU slapd[23561]: [ID 604206 local4.debug] ====> Did NOT GET LDAP_SUCCESS.
>Oct  7 15:01:55 ldap2.Stanford.EDU slapd[23561]: [ID 631365 local4.debug] <= bdb_group: "suRegID=85e49978f61311d2ae662436000baa77,cn=people,dc=stanford,dc=edu" not in "cn=supervisor,cn=applications,dc=stanford,dc=edu": member
>
>--Quanah
>
>--
>Quanah Gibson-Mount
>Senior Systems Administrator
>ITSS/TSS/Computing Systems
>Stanford University
>GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

Prev by Date: Re: ACL's using group access do not work (ITS#2118)
Next by Date: Re: ACL's using group access do not work (ITS#2118)
Index(es):
- Chronological
- Thread