[Date Prev][Date Next]
more access control puzzlement
I've encountered a couple more puzzling things with access control. I'm
trying to control access by IP address and a portion of the hierarchy.
The rules I want are:
provide limited access (specific attributes, limited part of the
hierarchy) to a group of machines,
show everything to one particular host (within a limited part
of the hierarchy),
deny everything to everyone else.
then I need to repeat these rules multiple times each one limiting access
to a different part of the hierarchy. Last, I need a rule granting access
to a couple of machines for the entire hierarchy.
So reading between the lines, I put in multiple rules and they look like this:
access to dn="*,ou=gems,o=store" attrs=sn,entry
by addr="220.127.116.11" read
access to dn="*,ou=gems,o=store"
by domain="localhost" write
what seems to happen is that the first rule is used but the second one is
ignored. I've tried it different variants with different default access
values and I always seem to get the results specified by the first rule.
It never seems to drop to the second rule.
what am I missing? When I search for a specific attribute 'sn=bugs10', I
get the following line in the log (-d=128)
=> acl_access_allowed: search access to value "BUGS10" by ""
<= acl_access_allowed: denied by default (no matching by)
if I eliminate the defaultaccess none rule, all the other protections
vanish as I would expect.
Eric S Johansson email@example.com firstname.lastname@example.org
This message was composed almost entirely by NaturallySpeaking.