[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#3780) val.regex with attributes doesn't honor searches



Full_Name: Quanah Gibson-Mount
Version: 2.2.26
OS: Solaris 8
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (171.64.19.82)


I have the following ACL:

access to dn.children="cn=people,dc=stanford,dc=edu" attrs=suPrivilegeGroup
val.regex="^itss-smarts:.+"
    by dn.base="cn=smarts,cn=service,cn=applications,dc=stanford,dc=edu"
sasl_ssf=56 read
    by * break


which gives access to read (and lesser privs) for the suPrivilegeGroup attribute
when the value starts with itss-smarts.

I also have:

access to dn.children="cn=people,dc=stanford,dc=edu"
filter=(suprivilegegroup=itss-smarts:*) attrs=uid
    by dn.base="cn=smarts,cn=service,cn=applications,dc=stanford,dc=edu"
sasl_ssf=56 read
    by * break


so that principal can get UID for any entry that has itss-smarts:* for a value
of suprivilegegroup.

However, I find that I'm unable to search like this:

ldapsearch -h ldap9 -b"dc=stanford,dc=edu" "(suprivilegegroup=itss-smarts:*)"

which according to the ACL rules is a valid search, since the principal has READ
on suprivilegegroup where the values start with itss-smarts:

--Quanah