[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Openldap 2.0.25 acl not working for me

Eric said:
> Hello,
>
>    I'm trying to get a particular acl working here...
>
> I'm using OpenLDAP 2.0.25 and FreeBSD 4.7.
>
> Basically I want to restrict access to an attribute located in
> ou=domain.com, ou=domains, dc=globalrelay, dc=net.
> I'm trying to give connections that have bound as that record's
> child entry read access.
>
>
> Here's what I've set, it seems to constantly deny me when I've logged
> in as uid=user, ou=domain.com, ou=domains, dc=globalrelay, dc=net:
>
> access to dn.regex="^ou=([^,])+,ou=domains,dc=globalrelay,dc=net$"
> attr=privateAttribute
>         by dn="cn=admin,dc=globalrelay,dc=net" write
>         by dn.regex="^.*,ou=$1,ou=domains,dc=globalrelay,dc=net$" read
>         by * none
>
> I've also tried out something similar to this:
>         by dn.children="ou=$1,ou=domains,dc=globalrelay,dc=net" read
> with a similar lack of success.
>
>
> Here's a piece of the logs that pertain to the acl checking
> for "privateAttribute":
> ===================================================
> slapd[39118]: => access_allowed: read access to
> "ou=domain.com,ou=domains,dc=globalrelay,dc=net" "privateAttribute"
> requested
> slapd[39118]: => dnpat: [1] ^ou=([^,])+,ou=domains,dc=globalrelay,dc=net$
> nsub: 1
> slapd[39118]: => acl_get: [1] matched
> slapd[39118]: => acl_get: [1] check attr privateAttribute
> slapd[39118]: <= acl_get: [1] acl
> ou=domain.com,ou=domains,dc=globalrelay,dc=net attr: privateAttribute
> slapd[39118]: => acl_mask: access to entry
> "ou=domain.com,ou=domains,dc=globalrelay,dc=net", attr "privateAttribute"
> requested
> slapd[39118]: => acl_mask: to all values by
> "UID=USER,OU=DOMAIN.COM,OU=DOMAINS,DC=GLOBALRELAY,DC=NET", (=n)
> slapd[39118]: <= check a_dn_pat: cn=admin,dc=globalrelay,dc=net
> slapd[39118]: <= check a_dn_pat:
^.*,ou=$1,ou=domains,dc=globalrelay,dc=net$
> slapd[39118]: <= check a_dn_pat: *
> slapd[39118]: <= acl_mask: [3] applying none (=n) (stop)
> slapd[39118]: <= acl_mask: [3] mask: none (=n)
> slapd[39118]: => access_allowed: read access denied by none (=n)
> slapd[39118]: acl: access to attribute privateAttribute not allowed
> ===================================================

2.0.27 fails just the same...
I'm not sure where to go on this?

Thanks,
Eric