[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL group.regex in 2.1.22

To: openldap-software@OpenLDAP.org
Subject: Re: ACL group.regex in 2.1.22
From: Dieter Kluenter <dieter@dkluenter.de>
Date: Sun, 12 Oct 2003 21:25:04 +0200
In-reply-to: <200310121436.43079.ace@suares.nl> (Ace Suares's message of "Sun, 12 Oct 2003 14:36:43 -0400")
References: <200310121436.43079.ace@suares.nl>
User-agent: Gnus/5.1001 (Gnus v5.10.1) XEmacs/21.4 (Portable Code, linux)

Ace Suares <ace@suares.nl> writes:

> Dear all,
>
> Again, those ACL bit me in places I don't want to be bitten :-(
>
> I have the following ACL:
>
> access to 
> dn.regex="^qService=(.*),qDomain=(.*),qRole=domain,qIsp=(.*),qRole=isp,qApp=qwido" 
> 	by dn.regex="qManager=.*,qRole=manager,qIsp=$3,qRole=isp,qApp=qwido" write
> 	by dn.regex="^qDomain=$2,qRole=domain,qIsp=$3,qRole=isp,qApp=qwido" read
> 	by group="^qGroup=$1,qDomain=$2,qRole=domain,qIsp=$3,qRole=isp,qApp=qwido" 
> read
> 	by dn.regex="qRole=123,qApp=qwido" read
> 	by * none
>
>
> I know, it's complicated to read, but just note that the 3rd 'by' clause is 
> 'group'.
>
> Now, in my log files, I see:
>
> <= acl_get: [8] acl qService=ftp,qDomain=suares.com,qRole=domain,qIsp=
> isp001,qRole=isp,qApp=qwido attr: objectClass
> => acl_mask: access to entry "qService=ftp,qDomain=suares.com,qRole=do
> main,qIsp=isp001,qRole=isp,qApp=qwido", attr "objectClass" requested
> => acl_mask: to all values by "qManager=man001,qRole=manager,qDomain=s
> uares.com,qRole=domain,qIsp=isp001,qRole=isp,qApp=qwido", (=n)
> <= check a_dn_pat: qManager=.*,qRole=manager,qIsp=$3,qRole=isp,qApp=qw
> ido
> <= check a_dn_pat: ^qDomain=$2,qRole=domain,qIsp=$3,qRole=isp,qApp=qwi
> do
> <= check a_dn_pat: qRole=123,qApp=qwido
> <= check a_dn_pat: *
> <= acl_mask: [5] applying none(=n) (stop)
> <= acl_mask: [5] mask: none(=n)
> => access_allowed: search access denied by none(=n)
>
> Again, difficult top read, but note that the 'by group' doesn't show up whule 
> all the others (by dn.regex, and *) do.
>
> What's the reason for this? Do I need top upgrade ? Dit I oversee someting 
> very simple !?
>
> Any help would be appreciated. 

by dn.regex="qManager=.*,qRole=manager,qIsp=$3,qRole=isp,qApp=qwido" write
qManager=man001,qRole=manager,qDomain=suares.com,qRole=domain,qIsp=isp001,qRole=isp,qApp=qwido

Please compare your 'who' clause with the distinguished name you want
to get access with.

-Dieter
-- 
Dieter Kluenter  | Systemberatung
Tel:040.64861967 | Fax: 040.64891521
mailto: dkluenter(at)dkluenter.de
http://www.avci.de

Follow-Ups:
- Re: ACL group.regex in 2.1.22
  - From: Ace Suares <ace@suares.nl>

References:
- ACL group.regex in 2.1.22
  - From: Ace Suares <ace@suares.nl>

Prev by Date: Re: OpenSSL + Kerberos + Cyrus-SASL + OpenLDAP
Next by Date: Re: ACL group.regex in 2.1.22
Index(es):
- Chronological
- Thread