[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL sockurl syntax (ITS#3050)

To: openldap-its@OpenLDAP.org
Subject: Re: ACL sockurl syntax (ITS#3050)
From: ando@sys-net.it
Date: Thu, 1 Apr 2004 18:06:23 GMT

This change occurred ages ago.  Read slapd.access(5) for details.
To make a long story short, the default is exact.  Expressly require
regex evaluation.  And don't rely on defaults.

p.

> Full_Name: Jim Campbell
> Version: 2.2.8
> OS: Solaris 8
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (147.188.40.2)
>
>
> Hi,
> With 2.2.8 has there been a change in the ACL syntax:
> access to *
>         by sockurl="^ldapi:///$" write
> as I now get permission denied from my Heimdal connection.
> If I use:
> access to *
>         by sockurl="^ldapi:///$" write
>         by sockname="PATH=/var/opt/OPENldap/run/ldapi" write
> The it passes through first check and succeeds with second:
> => acl_mask: access to entry
> "ou=KerberosPrincipals,dc=NP,dc=PH,dc=BHAM,dc=AC,dc
> =UK", attr "children" requested
> => acl_mask: to all values by "", (=n)
> <= check a_sockurl_pat: ^ldapi:///$
> <= check a_sockname_path: PATH=/var/opt/OPENldap/run/ldapi
> <= acl_mask: [2] applying write(=wrscx) (stop)
> <= acl_mask: [2] mask: write(=wrscx)
> => access_allowed: write access granted by write(=wrscx)
> => access_allowed: write access to
> "cn=krbtgt/np.ph.bham.ac.uk@np.ph.bham.ac.uk,
> ou=KerberosPrincipals,dc=NP,dc=PH,dc=BHAM,dc=AC,dc=UK" "entry" requested
>
> This used to work in 2.1.x
> cheers
> Jim


-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it

Prev by Date: ITS#3051
Next by Date: attribute preferredDeliveryMethod is unuseable (ITS#3052)
Index(es):
- Chronological
- Thread