[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL question: is the topmost entry different ?

To: OpenLDAP-software@OpenLDAP.org
Subject: Re: ACL question: is the topmost entry different ?
From: Ace Suares <ace@suares.nl>
Date: Sun, 23 Feb 2003 13:24:06 +0400
In-reply-to: <200302231301.20293.ace@suares.nl>
References: <200302230308.05498.ace@suares.nl> <200302231232.28229.ace@suares.nl> <200302231301.20293.ace@suares.nl>

Hi all,

Still more wrestling. I wouldn't be surprised if they take me to the asylum 
after even more wrestling :-(
>
> Here's my ACL:

Here's my new ACL:

---ACL
# protect all userPasswords.
# qwido: managers have access to all passwords
access to attr=userpassword
	by self write
	by group="group=managers,app=qwido" write
	by anonymous auth

### 
access to dn="oc=(.*),app=qwido"
	by dn.exact="oc=$1,app=qwido" read
	by dn.exact="app=qwido" read
	
### 
access to dn="app=qwido" attrs=children
	by dn.exact="app=qwido" write
	
### 
access to dn="app=qwido" 
	by dn.exact="app=qwido" read
	
---

When I bind with:
Base_dn: app=qwido
Bind_dn: app=qwido
I can see the *whole* tree.
I can ADD oc=isp002,app=qwido
but I can't edit any oc=.*,app=qwido (expected behaviour)

When I bind with:
Base_dn: app=qwido
Bind_dn: oc=isp001,app=qwido
I can see the 'nothing'.

This strikes me as strange.
When I remove the 'exact' I am able to see the entire tree, but:

When I bind with:
Base_dn: app=qwido
Bind_dn: manager=001,oc=isp001,,app=qwido
I can see the 'nothing' (expected behaviour)

but when I remove the exact, I can also see the entire tree !

Again, mystery strikes.

defaultaccess is none (of course).

I am using core.schema, cosine.scheam, nis.schema, qmail.schema and a schema 
of my own:

---qwido.schema:
# qwido.schema.01
# qwido 2.0 copyright Ace Suares http://www.qwido.com
# OID Base is iso(1) org(3) dod(6) internet(1) private(4) something(1).
# acesuares(14391) qwido(1)

# Syntaxes are under		1.3.6.1.4.1.14391.1.0 
# Attribute types are under	1.3.6.1.4.1.14391.1.1
# Object classes are under	1.3.6.1.4.1.14391.1.2
# Services are under		1.3.6.1.4.1.14391.1.3

# Objectidentifiers
objectIdentifier acesuaresOID  1.3.6.1.4.1.14391
objectIdentifier qwido acesuaresOID:1
objectIdentifier qwidoSyntax qwido:0
objectIdentifier qwidoAttributeType qwido:1
objectIdentifier qwidoObjectClass qwido:2

# qwido Attributes

attributetype ( qwidoAttributeType:0 NAME 'qwidoVersion'
	DESC 'qwido Version Number' 
	EQUALITY caseExactIA5Match
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26  SINGLE-VALUE )

attributetype ( qwidoAttributeType:5 NAME 'qwidoStatus'
	DESC 'qwido Status' 
	EQUALITY caseIgnoreIA5Match
	SUBSTR caseIgnoreIA5SubstringsMatch
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )


# qwido objectclasses

objectclass ( qwidoObjectClass:0 NAME 'qwidoTop' STRUCTURAL
	MUST ( qwidoVersion ) 
	)

objectclass ( qwidoObjectClass:1 NAME 'qwidoService'  STRUCTURAL
	MUST ( qwidoStatus )
	)

objectclass ( qwidoObjectClass:2 NAME 'qwidoOC' STRUCTURAL
	MUST ( qwidoStatus )
	)

objectclass ( qwidoObjectClass:3 NAME 'qwidoDomain' STRUCTURAL
	MUST ( qwidoStatus )
	MAY ( homeDirectory )
	)
	
objectclass ( qwidoObjectClass:4 NAME 'qwidoManager'  STRUCTURAL
	MUST ( userPassword $ qwidoStatus ) 
	MAY ( description $ cn )
	)

# end qwido.schema.01
----

Follow-Ups:
- Re: ACL question: is the topmost entry different ?
  - From: Ace Suares <ace@suares.nl>
- Re: ACL question: is the topmost entry different ?
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- ACL question: is the topmost entry different ?
  - From: Ace Suares <ace@suares.nl> (by way of Ace Suares <ace@suares.nl>)
- Re: ACL question: is the topmost entry different ?
  - From: Ace Suares <ace@suares.nl>

Prev by Date: Re: ldap with netware
Next by Date: (OT) GQ question
Index(es):
- Chronological
- Thread