[Date Prev][Date Next] [Chronological] [Thread] [Top]

problem with set ACL



Hello

I have a problem with the set keyword in ACL. 

Here is the setup. My directory has objects in two classes: 
persons and addresses

A person look like this:
dn: cn=jdoe,ou=sales,dc=example,dc=net
cn: jdoe
rfc822Mailbox: John.Doe@example.net

An address look like this:
dn: netExampleMail=John.Doe@example.net,dc=example,dc=net
netExampleMail: John.Doe@example.net
netExampleEnable: TRUE

Now I want to give a user the right to modify the netExampleEnable 
attribute for an address if his rfc822Mailbox matches the netExampleMail
of the address. 

After banging my head on the documentation for one day, I came to the 
conclusion that I had to use the set keyword. Here is what I tried:

access to dn.regex="netExampleMail=([^,]+),dc=example,dc=net"
  by set.expand=[ldap://localhost/dc=example,dc=net?dn?sub?rfc822Mailbox=$1]
    write
  by * read

The access is always granted, whatever address entry an user attempt to 
modify.

Worse: the URI dereferencing is ignored: replacing the LDAP host by an IP
address that has no LDAP service cause no error. Running tcpdump shows
that no attempt was made to connect to the LDAP service.

Here is the log output:

 => acl_mask: access to entry "netExampleMail=Random.User@example.net,dc=example,dc=net", attr "netExampleEnable" requested 
 => acl_mask: to all values by "cn=jdoe,ou=sales,dc=example,dc=net", (=0)  
 <= check a_set_pat: [ldap://example.net/dc=example,dc=net?dn?sub?rfc822mailbox=$1] 
 <= acl_mask: [1] applying write(=wrscxd) (stop) 
 <= acl_mask: [1] mask: write(=wrscxd) 
 => access_allowed: delete access granted by write(=wrscxd) 



-- 
Emmanuel Dreyfus
manu@netbsd.org