Full_Name: Jim Campbell Version: 2.2.8 OS: Solaris 8 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (147.188.40.2) Hi, With 2.2.8 has there been a change in the ACL syntax: access to * by sockurl="^ldapi:///$" write as I now get permission denied from my Heimdal connection. If I use: access to * by sockurl="^ldapi:///$" write by sockname="PATH=/var/opt/OPENldap/run/ldapi" write The it passes through first check and succeeds with second: => acl_mask: access to entry "ou=KerberosPrincipals,dc=NP,dc=PH,dc=BHAM,dc=AC,dc =UK", attr "children" requested => acl_mask: to all values by "", (=n) <= check a_sockurl_pat: ^ldapi:///$ <= check a_sockname_path: PATH=/var/opt/OPENldap/run/ldapi <= acl_mask: [2] applying write(=wrscx) (stop) <= acl_mask: [2] mask: write(=wrscx) => access_allowed: write access granted by write(=wrscx) => access_allowed: write access to "cn=krbtgt/np.ph.bham.ac.uk@np.ph.bham.ac.uk, ou=KerberosPrincipals,dc=NP,dc=PH,dc=BHAM,dc=AC,dc=UK" "entry" requested This used to work in 2.1.x cheers Jim
This change occurred ages ago. Read slapd.access(5) for details. To make a long story short, the default is exact. Expressly require regex evaluation. And don't rely on defaults. p. > Full_Name: Jim Campbell > Version: 2.2.8 > OS: Solaris 8 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (147.188.40.2) > > > Hi, > With 2.2.8 has there been a change in the ACL syntax: > access to * > by sockurl="^ldapi:///$" write > as I now get permission denied from my Heimdal connection. > If I use: > access to * > by sockurl="^ldapi:///$" write > by sockname="PATH=/var/opt/OPENldap/run/ldapi" write > The it passes through first check and succeeds with second: > => acl_mask: access to entry > "ou=KerberosPrincipals,dc=NP,dc=PH,dc=BHAM,dc=AC,dc > =UK", attr "children" requested > => acl_mask: to all values by "", (=n) > <= check a_sockurl_pat: ^ldapi:///$ > <= check a_sockname_path: PATH=/var/opt/OPENldap/run/ldapi > <= acl_mask: [2] applying write(=wrscx) (stop) > <= acl_mask: [2] mask: write(=wrscx) > => access_allowed: write access granted by write(=wrscx) > => access_allowed: write access to > "cn=krbtgt/np.ph.bham.ac.uk@np.ph.bham.ac.uk, > ou=KerberosPrincipals,dc=NP,dc=PH,dc=BHAM,dc=AC,dc=UK" "entry" requested > > This used to work in 2.1.x > cheers > Jim -- Pierangelo Masarati mailto:pierangelo.masarati@sys-net.it
changed notes
changed state Open to Closed
moved from Incoming to Archive.Incoming
not a bug