[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: access control broken (ITS#4019)

Hi again

Ok, I think I understand what you were saying (I missed the  
subtleties).  I didn't understand that a match on the access/filter  
line ended the search even if a "by" line wasn't matched.

The following works

access to dn.regex="uid=[^,]+,cn=users,dc=beer,dc=ivec,dc=org"  
     by * none break

access to dn.regex="uid=[^,]+,cn=users,dc=beer,dc=ivec,dc=org"  
     by dn="uid=beer,cn=users,dc=beer,dc=ivec,dc=org" write
     by * none break

access to dn.regex="uid=[^,]+,cn=users,dc=beer,dc=ivec,dc=org"  
     by dn="uid=cider,cn=users,dc=beer,dc=ivec,dc=org" write
     by * none

Thanks for putting me on the right track.


On 10/09/2005, at 14:01, Pierangelo Masarati wrote:

> Anyway, I think it works as intended.  In fact, the second rule in  
> your post
> gets caught when checking the object that contains both "cider" and  
> "beer" and
> since the user DN does not match the DN in the <who>, control  
> doesn't even get
> to the break, so the third rule is never checked.  I suspect you  
> need to add a
> "by * none break" at the end of each rule to get the behavior you  
> expect, much
> like you did in the first rule.
> p.
> PS: I suggest you try to keep your reports a bit shorter and  
> focused on the
> issue; I nearly consumed the page-up/down buttons trying to keep  
> track of what
> you're saying.

Dr Stuart Midgley
Industry Uptake Program Leader
iVEC, 'The hub of advanced computing in Western Australia'
26 Dick Perry Avenue, Technology Park
Kensington WA 6151

Phone: +61 8 6436 8545
Fax: +61 8 6436 8555
Email: industry@ivec.org
WWW:  http://www.ivec.org