[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd and permissions

To: Jernej Kos <kostko@jweb-network.net>
Subject: Re: slapd and permissions
From: Pierangelo Masarati <ando@sys-net.it>
Date: Fri, 09 Apr 2004 15:16:52 +0200
Cc: openldap-software@OpenLDAP.org
References: <200404091449.41210.kostko@jweb-network.net>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

Jernej Kos wrote:

I am trying to get this working:

access to dn="ou=Domains,uid=(.*),ou=Drones,dc=unimatrix-one,dc=org"
       by dn="cn=root,dc=unimatrix-one,dc=org" write
       by dn="cn=borgd,dc=unimatrix-one,dc=org" write
       by dn="uid=$1,ou=Drones,dc=unimatrix-one,dc=org" write
       by * read

But it is just being ignored (users still don't have write permission). What is wrong ?

depending on the version of the code you're running, this can either be wrong or right. In 2.1, this should be almost fine; in 2.2 it's definitely wrong, because the default for DN match in <who> clauses has moved from "regex" to "exact", and your third <who> clause doesn't do what you expect. This is very well documented in the slapd.access(5) man page that accompanies the code in each version (I wrote it myself, so I know it quite well) and it is a clear demonstration that default should never be trusted (I think they'll be removed at some point). It has also been mentioned many times on the mailing lists because it is a common source of errors.

p.


   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

Follow-Ups:
- Re: slapd and permissions
  - From: Jernej Kos <kostko@jweb-network.net>

References:
- slapd and permissions
  - From: Jernej Kos <kostko@jweb-network.net>

Prev by Date: RE: [debian-openldap] Re: your mail
Next by Date: SSL certificates, kerberos keytabs, and load balancing
Index(es):
- Chronological
- Thread