Re: [LDAP-SOFTWARE] ACLand regex (matching self)

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 02:33 AM 2/23/2003, Ace Suares wrote:

>> At 12:29 AM 2/23/2003, Ace Suares wrote:
>> >As I found out, the self directive does NOT work !
>>
>> Did test006-acls pass when you ran the test suite?  If so,
>> then it demonstrates that a "by self" clause does work.
>
>It might be the case that I don't have these test-suites.

They are included in every release of OpenLDAP Software
(as distributed by the OpenLDAP Project) in the "tests"
directory.

>I can't find them on Debian Woody (yet).

Well, you might want to find them.  Aside from allowing you to
test the software, the suite provides a number of useful examples.

>But, I was not pointing out that the self directive doesn't work, I just 
>pointed out that the self directive didn't work in this special circumstance.

I assume you mean "didn't work as expected".  I suspect you are
confused as to what the applicable subject (authorization) and
target (entry) DNs are.  The logs tell exactly which who is
accessing what (STATS) and "to" and "by" clauses contribute to
the access allowed/denied (ACLs).  Other logging may also be useful.

>But then again, I am getting more and more confused with trial-and-error 
>processing of these ACL's. It might very well be that I drew wrong 
>conclusions from inconclusive tests.

I suggest you go back to the very basic ACL, such as the one
provided in the example slapd.conf(5) file provide in the
distribution (as provided by the project) and then slowily
add new clauses (using operations and logs to confirm they
do what you think they should do).

>You are saying that in mentioned case, where there is a regular expression in 
>the 'to' clause, the self directive is working ??

As far as I know, the "by self" clause works just fine regardless of
what the particulars of the "to" clause.

Kurt