[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs, groups, and regular expressions... oh my



I forgot to mention that this is version 2.1.13 running on a slackware 8.0
server.


> I have been trying to formulate an acl that will allow read access to
> the ldap server, if they are a member of any of the groups.
>
> Here is the acl I came up with:
>
> access to *
>    by group="cn=(.*),dc=example,dc=com read
>    by anonymous bind
>    by * none
>

And I should mention here that if I substitute one of the group names in
for the regular expression match, everything works great, so I know that
the rest of the acl is fine.

> Now as I see it anybody that is a member of any group there should get
> read access to the box.  However, that of course, is not happening.
>
> Here is a bit of the debug output that I am getting
>
> => acl_mask: to all values by "uid=beavis,dc=example,dc=com", (=n) =>
> string_expand: pattern:  cn=(.*),dc=example,dc=com
> => string_expand: expanded: cn=(.*),dc=example,dc=com
>>>> dnNormalize: <cn=(.*),dc=example,dc=com>
> => ldap_bv2dn(cn=(.*),dc=example,dc=com,0)
> <= ldap_bv2dn(cn=(.*),dc=example,dc=com)=0
> => ldap_dn2bv(272)
> <= ldap_dn2bv(cn=(.*),dc=example,dc=com,272)=0
> <<< dnNormalize: <cn=(.*),dc=example,dc=com>
> => regex_matches: string:        uid=beavis,dc=example,dc=com
> => regex_matches: rc: 1 no matches
> <= check a_dn_pat: anonymous
> <= check a_dn_pat: *
> <= acl_mask: [4] applying none(=n) (stop)
> <= acl_mask: [4] mask: none(=n)
> => access_allowed: search access denied by none(=n)
>
> Looks to me like it's not expanding the regular expression to, but
> that's just my guess.
>
> Any clues????
>
> paul wilson