[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL's using group access do not work (ITS#2118)




--On Monday, October 07, 2002 3:31 PM -0700 "Kurt D. Zeilenga" 
<Kurt@OpenLDAP.org> wrote:

> At 03:12 PM 2002-10-07, Quanah Gibson-Mount wrote:
>> I haven't heard anything back on this from you in a bit, but I've got
>> more exciting debugging pieces of information. ;)
>
> Been busy... you just gave what I was just about to ask for...
> the schema definition for suRegID.
>
>> So (see output below),
>>
>> When it is going through looking at whether or not suRegID is a member
>> of the group supervisor, it is doing an OID validate? Why?
>
> Because you defined values of the attribute to be OIDs.
>
>> Should it care about the OID of suRegID?
>
> It cares about values of attribute.
>
>> Also, the "oid" it is validating appears to be my suRegID number.
>
> Yeap, 1.3.6.1.4.1.1466.155.121.1.38 is OID.
>
>> Is this then a problem with the schema definition of suRegID?
>>
>> attributetype ( 1.3.6.1.4.1.299.11.1.1 NAME ( 'suRegID' )
>>        EQUALITY objectIdentifierMatch
>>        SYNTAX 1.3.6.1.4.1.1466.155.121.1.38 SINGLE-VALUE)
>
> This explains the DN normalization failure.  Basically
> you are trying to compare two invalid values.  The
> comparison where the assertion and/or stored value is
> invalid is Undefined and this results in False match.
>
> You likely should define this to be some IA5 string with
> case ignore (IA5) matching.

Kurt,

Thanks, that fixed it.  I'm going to have a nice, long chat with the person 
writing our schema when they get back from vacation in Fiji next week.

--Quanah

--
Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html