[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Serious problem with access clause (ITS#2557)

> -----Original Message-----
> From: owner-openldap-bugs@OpenLDAP.org
> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of quanah@stanford.edu

> Full_Name: Quanah Gibson-Mount
> Version: 2.1.20
> OS: Solaris 8
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (
> Hello,
> I find that I cannot implement the following ACL due to limitations in
> OpenLDAP:
> access to dn.children="cn=People,dc=stanford,dc=edu"
> attrs=cn,sn,objectClass,givenName,suPrivilegeGr
 ... ...
>         by dn.base="cn=adharv,cn=applications,dc=stanford,dc=edu" read
>         by * break
> The error I receive is:
> /usr/local/etc/openldap/slapd.acl: line 62: unknown attr
> "suGwAffilPhon" in to
> clause
> Obviously, it is reaching a string limit.


> I can not fix this by making it
> seperate lines, as it uses a line break to differentiate
> between the to and by pieces of the ACL.

That's not true; the ACL parser doesn't care about line breaks, it just looks
for the word "to" or "by" wherever it occurs in the input. Break up the input
into multiple lines anywhere you wish, it will work.

You might also be able to shorten the list if any of those attributes are
completely defined by a particular objectclass. Then you could just use
attrs=<objectclass> to control access to all of the attributes in that

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support