[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL problem

To: openLDAP-software@OpenLDAP.org
Subject: ACL problem
From: Paul Christie <ccsphc@bath.ac.uk>
Date: Tue, 14 Sep 2004 10:41:10 +0100
Content-disposition: inline

I have, on the advise of Kurt Zeilenga, tried to define an object class in order to set an ACL on a list of 30 or so attributes in a concise way.

The objectclass is defined like this

objectclass     ( BathObjectClass:8 NAME 'BathDOEPerson'
   DESC 'Used in slapd.conf to set ACL for bathdoe attributes'
   SUP top AUXILIARY
   MAY ( bathdoeexpertise $ bathdoeprofbodies $
         bathdoegrants $ bathdoekeyword $ bathdoepublications $
         bathdoepublicationsurl $ bathdoequalifications $
         bathdoeeducation $ bathdoeproqualifications $
         bathdoecareer $ bathdoesabbaticalleave $
         bathdoeprizes $ bathdoeexternalbodies $
         bathdoeteachingactivities $ bathdoeadministration $
         bathdoeexternalactivities $ bathdoeexhibitions $
         bathdoeprofessionalpractice $ bathdoeconsultancies $
         bathdoeresearchinterests $ bathdoepatents $
         bathdoecommerciallinks $ bathdoeresearchstudents $
         bathdoeexternalexaminer $ bathdoeconferencetalks $
         bathdoeconferencechairing $ bathdoeseminars $
         bathdoefurtherinformation $ bathdoeoptions $
         bathdoestatus )
   )

My entire ACL list looks like this

access to attr=userPassword
      by self write
      by anonymous auth
      by dn.base="cn=directory manager,o=bath.ac.uk" write
      by * none
access to attr=@bathdoeperson
      by self write
      by dn.base="cn=directory manager,o=bath.ac.uk" write
      by * none
access to *
      by dn.base="cn=directory manager,o=bath.ac.uk" write
      by * read

This does work for the bathdoe attributes. However it seems to have unexpected consequences for the objectclass attribute type.

An anonymous user can not see or query using the objectclass for the persons or organisationalroles. An authenticated user can see the objectclasses associated with their own person entry but not their own organizationalroles, and they can not see objectclasses for other users.

If I remove the middle ACL (@bathdoeperson) there are no restrictions on objectclass or bathdoe attribute types (as expected).

An explanation would be much appreciated and no doubt would add to my understanding of ACLs


Paul Christie
Bath University Computing Services

Follow-Ups:
- Re: ACL problem
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: configure: error: Berkeley DB version mismatch
Next by Date: Re: Extended attrs search
Index(es):
- Chronological
- Thread